Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/26/2016
05:10 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Obama Issues Federal Government Policy For Cyberattack Response

New Presidential Policy Directive, PPD-41, solidifies just how key federal agencies coordinate, respond to cyberattacks on federal and private networks.

President Obama today issued a key directive formalizing just how federal agencies operate, coordinate, and respond to major cyberattacks and cyber incidents considered a danger to national security, the government, the economy, and critical infrastructure.

The new Presidential Policy Directive, PPD-41, specifies the FBI and the National Cyber Investigative Task Force of the US Department of Justice as the lead agencies for threat response, while the US Department of Homeland Security is the lead agency for “asset” response, via the National Cybersecurity and Communications Integration Center, aka the NCCIC. The Office of the Director of National Intelligence – via the Cyber Threat Intelligence Integration Center -- is the lead agency for intelligence support and related efforts, the directive states.

A “significant” cyber incident is defined by PPD-41 as one where the outcome could be harmful to national security interests, foreign relations, the US economy, public confidence, civil liberties or public health and safety of US citizens, according to the directive. Cyber incidents include vulnerabilities, system security procedures, internal controls, or implementations that could be abused by an attacker.

“While the vast majority of cyber incidents can be handled through existing policies, certain cyber incidents that have significant impacts on an entity, our national security, or the broader economy require a unique approach to response efforts. These significant cyber incidents demand unity of effort within the Federal Government and especially close coordination between the public and private sectors,” the directive reads.

President Obama’s new directive basically forms a game plan for agencies to work with one another on major cybersecurity events, notes Tom Kellermann, who previously served on the Commission on Cybersecurity for the 44th Presidency. “It also highlights how … the nature of responses [required now] for attacks that could be destructive and [the] increasing hostility of the environment shows the need for more cooperation,” says Kellermann, who is CEO of Strategic Cyber Ventures LLC.

The directive comes in the wake of the massive Office of Personnel Management (OPM) breach in 2015, and as the FBI is investigating the possible involvement of the Russian government in the recent breach of the Democratic National Committee’s (DNC) email system. Some of the DNC’s emails, many of them indicating the commission’s bias toward Hillary Clinton over Bernie Sanders, were dumped online by WikiLeaks this week just in time for the Democratic National Convention and presidential nomination of Clinton.

Chris Blask, chair of the ICS-ISAC, says the President's new directive basically formalizes how the federal government will respond and coordinate in cyber incidents and attacks. “The private sector can get some insight into where the feds are now. It’s another indication of the escalation of interest and capabilities inside the federal government to support private industry” partners, Blask says.

Missing from the President’s new policy, however, is a so-called “Cyber 911” for the private industry, Kellermann says. “My one suggestion is they need to have a Cyber 911,” a cyber incident emergency plan for commercial entities, he says. “When you call 911 in an emergency, you get police, ambulance, or fire” department support, he says.

But with cybersecurity, the private sector today gets only police support when it calls the FBI. “Metaphorically, this is a great action plan … but it should be expanded to the private sector,” where many organizations lack the resources to handle and recover from major cyberattacks, he says.

The private sector should have a streamlined process for getting help with “systemic” attacks. “DHS US-CERT and NCCIC should work in tandem with FBI to limit secondary infections,” he says.

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

“The problem for the past ten years is that [they’ve] failed at exterminating the cyber-presence of adversaries who have colonized” US networks, Kellermann says. “There was no quick enough response to react in time … nor a national coordination perpsective. This PPD is all about decreasing the dwell time to prevent further colonization” of nation-states and other attackers, he says.

The FBI said the policy codifies the bureau’s role in cyberattack response. James Trainor, assistant director of the FBI cyber division said in a statement, “This new policy will also enhance the continuing efforts of the FBI—in conjunction with its partners—to protect the American public, businesses, organizations, and the economy and security of our nation from the wide range of cyber actors who threaten us.”  

PPD-41 also lists five incident response principles for the feds: shared responsibility among individuals, government, and the private sector in protecting networks from attack; risk-based response; respecting affected entities (think privacy and civil liberties); unity of effort, meaning keeping all relevant agencies in the loop; and enabling restoration and recovery as soon as possible.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/27/2016 | 12:04:21 PM
Re: Positive, but concerned
" floundering compared to more tech-minded countries overseas "

I hear you, I would not think the other countries are better than US. Most are more repressive even in the western worlds, it is just we are not hearing about them as often.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/27/2016 | 12:01:47 PM
Encryption?
 

Is there anything related to device encryption on this policy? Remember Apple vs. government?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/27/2016 | 12:01:26 PM
DNC email system leak
 

DNC email system leak is not a new attack but somehow is surfaced these days, there seems there is politics playing a role in this too.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/27/2016 | 12:00:57 PM
Re: Positive, but concerned
" I feel like either of them would make horrible technological decisions and leave the U.S."

I would say it is more like their advisers, not the presidents who make the decision. Presidents would make a decision based on the support of the public.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/27/2016 | 11:58:38 AM
PPD-41
If it does what title says it does there is no harm on this policy. Federal agencies are supposed to operate, coordinate, and respond to major cyberattacks.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
7/27/2016 | 8:03:11 AM
Positive, but concerned
While it's been pleasing to see Obama take more of an interest in digital security over the past year or so, I am truly worried that neither Clinton nor Trump would understand technology well enough to take it seriously. Clinton's handling of her email server is a prime example. I feel like either of them would make horrible technological decisions and leave the U.S. floundering compared to more tech-minded countries overseas.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31414
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
CVE-2021-26073
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
CVE-2021-26074
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
CVE-2018-19942
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QT...
CVE-2021-27691
PUBLISHED: 2021-04-16
Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request...