US President Barack Obama issued a policy directive on Tuesday detailing how the federal government should respond to incidents of cybersecurity. The directive, also known as PPD-41, pushed for shared responsibly and unity regarding attacks, and added some clarity for the channels through which private sector organizations report incidents to government agencies.
In the directive’s introduction, Obama called cyber incidents “a fact of contemporary life,” but noted that they were “occurring with increasing frequency, impacting public and private infrastructure located in the United States and abroad.” This new directive aims to better position responses to cyber incidents happening in the government or the private sector.
SEE: Information security policy template (Tech Pro Research)
Early on, the directive seeks to differentiate between a “cyber incident” and a “significant cyber incident.” A cyber incident, it seems, simply refers to a run-of-the-mill security breach or attack, while a significant cyber incident is one that it “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”
“How the Federal Government defines an incident will determine its response and the response expected by other parties involved in the cyber incident,” said security expert and TechRepublic columnist Michael P. Kassner. “That kind of clarification might go a long way to remove confusion as well as any after-the-fact blame game.”
To properly respond to these incidents, the directive laid out five principles to guide the response efforts:
- Shared responsibility – The public sector, the private sector, and individual citizens all share responsibility and interest in keeping the US safe from cyberattacks.
- Risk-based response – The government will triage cyber incidents based on risk, and dedicate resources accordingly,
- Respecting affected entities – The government will protect the details of the affected parties in a cyberattack, especially private sector entities, as best they can under the law.
- Unity of governmental effort – The efforts of government entities responding to a cyber incident must be coordinated, and the first entity involved must notify other agencies of the incident.
- Enabling restoration and recovery – Governmental response to security incidents must happen in a way that helps the victim “return to normal operations” as quickly as possible.
The risk-based response and the definitions of a cyber incident versus a significant cyber incident are important for businesses, because it provides some clarity as to what type of support organizations can expect.
“The directive provides some clarity to how organizations should expect law enforcement to assist them through the cyber security severity scale,” said John Pironti, president of IP Architects. “This will be important for organizations to include as a consideration in their incident response plan development as well as preparing for possible litigation impacts that could result as part of the cyber security incident.”
In terms of specific efforts involved, the directive listed three lines of effort that must happen concurrently: threat response, asset response, and intelligence support and related activities. If the victim if a federal agency, an additional line of effort will be enacted to keep operations running smoothly.
To coordinate efforts against significant cyber incidents, a Cyber Unified Coordination Group (UCG) will be formed to facilitate the responses among federal agencies. Threat response for significant cyber incidents will be handled by “the Department of Justice, acting through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force.” Asset response will be handled by the “Department of Homeland Security, acting through the National Cybersecurity and Communications Integration Center,” and the “Office of the Director of National Intelligence, through the Cyber Threat Intelligence Integration Center” will head up intelligence support and related activities.
SEE: Obama seeks $19B for cybersecurity in 2017, a 36% increase (TechRepublic)
The president’s directive also outlined plans for how contact information should be managed for private sector victims to report incidents to the proper authorities. The directive stated: “The Departments of Homeland Security and Justice shall maintain and update as necessary a fact sheet outlining how private individuals and organizations can contact relevant Federal agencies about a cyber incident.”
This is important, Pironti said, because it provides clarity on what agency that private sector organizations need to reach out to in case of an attack.
“Previously organizations had to navigate through a number of different law enforcement and government agencies in order to find the correct one to help them with their specific type of attack,” Pironti said. “This was primarily due to the impacts and types of data or technology that was affected (i.e. Personal Identifiable Information, Personal Health Information, Intellectual Property, Trade Secret, Non-Public Private Information, and Classified data).”
The directive is the latest security initiative from Obama, who recently called for $19 billion to be dedicated to cybersecurity in the 2017 budget.
The 3 big takeaways for TechRepublic readers
- US President Barack Obama recently published a policy directive outlining how the federal government will respond to cyber incidents.
- The directive designates a different in cyber incidents and significant cyber incidents, which could provide clarity on the type of response seen in a particular situation.
- The directive also requires that contact information for responding agencies be kept and maintained, which could make it easier for organizations to get help after an attack.