President Barack Obama signed a Cyber Incident Coordination policy directive on Tuesday that puts processes in place for how the government will respond to malicious or accidental threats to the nation’s public and private cyber infrastructure.
The White House directive is designed to improve coordination between government agencies and bring clarity between departments in the event of an incident. The move is seen an important step for the federal government as it faces an increase in the number of cyber threats.
Policy experts applaud the move and say it codifies a mix of existing informal and formal cooperative measures between agency stakeholders including the DHS, FBI and NSA.
The Cyber Incident Coordination directive (PPD-41) covers a wide range of cyber threats and defines many different types of responses such as defining departmental responsibility on a per-incident basis, handling of sensitive data, and inter-agency responsibilities for restoring systems.
The directive goes so far as to identify the agencies on the front lines of incident response. While working through the FBI and the National Cyber Investigative Joint Task Force, the Justice Department will be responsible for coordinating a response to an “immediate cyber threat.” The DOJ will be responsible for communicating incident response details with DHS, stakeholders and with law enforcement in an effort to collect evidence and intelligence with the priority of stopping the immediate threat.
DHS is responsible for “asset response” and helping organizations recover systems to normal operations.
The FBI, according to the directive, will work with state and local agencies, along with non-governmental agencies, in the event of a major cyber event. Together, with the FBI taking the lead, they will work with other federal agencies and respond as the Cyber Unified Coordination Group.
Part of the directive includes creating a color schema for describing (PDF) the severity of cyber incidents that harkens back to the Homeland Security Advisory System put in place by during the Bush administration in 2002. The Cyber Incident Severity Schema goes from Level 1 (green, or low) to Level 5 Emergency (black) where a cyber-attack poses a wide-scale imminent threat to critical infrastructure that could have physical consequences.
The directive also impacts the private sector and acknowledges the interconnected nature of the cyber landscape and the shared public and private impact of a cyber incident. “The relevant sector-specific agency will generally coordinate the Federal Government’s efforts to understand the potential business or operational impact of a cyber incident on private sector critical infrastructure,” the directive reads. A Level 1 Low (green) threat is unlikely to impact public safety, economic security or civil liberties.
“The Federal government is one of the biggest repositories of data that we have – from Social Security and IRS data alone. It’s absolutely a good idea that these agencies – that may not have been incented to work together in the past – are now given a directive on how to cooperate in the future,” said Kim Phan, an attorney with Ballard Spahr, a legal firm specializing in privacy and data security. “A lot of these agencies have a hard enough time sharing regular information. This makes sure there is intelligent data sharing and cooperation where there may haven’t been,” she said.
Private-sector stakeholders representing the banking, insurance and investment community also applauded the White House’s move. “Ensuring the private sector and the government clearly understand roles and responsibilities in advance of a cyber incident is critical in ensuring consumers are protected,” said Chris Feeney, president of BITS, the technology policy division of the Financial Services Roundtable.
“This is a reaffirmation from the White House that the private sector has a shared responsibility with the government to protect against these type of attacks and to respond affectively to mitigate ongoing harm when there is an attack,” Ed McAndrew, a former federal cybercrime prosecutor and partner at law firm Ballard Spahr. “It provides a road map for government agencies and the private sector to follow up on the policy directive and institute concrete steps to ensure the directive is being followed,” he said.
McAndrew said that the move is in response to the government’s $19 billion cybersecurity budget, which includes $3.1 billion towards information technology modernization efforts such as the Cybersecurity National Action Plan announced in February.