Update: 5:15 p.m.
As the lead on "intelligence support and related activities," the Office of the Director of National Security and the entire intelligence community will be responsible for the third leg of the administration's new policy for responding to major cyberattacks.
In the wake of a significant attack, ODNI would be responsible for gathering and analyzing threat trends globally and in cyberspace to "build situational awareness and to identify knowledge gaps" as part of a coordinated response, a U.S. intelligence official told Federal Times. This picture of the threat landscape could also be used to "degrade or mitigate adversary threat capabilities," they added.
This mission will be coordinated through the Cyber Threat Intelligence Integration Center (CTIIC), which will take the lead on intelligence gathering and dissemination under the new policy, as it does for the intelligence community on a daily basis.
Update: July 26, 3:40 p.m.
The FBI issued a release lauding the new policy.
Cyber Division Assistant Director James Trainor noted the directive "codifies the essential role that the FBI plays in cyber incident response, recognizing its unique expertise, resources and capabilities."
And, moving forward, "as the Bureau continues evolving to keep pace with the cyber threat, the authorities contained in PPD-41 will allow us to help shape the nation's strategy for addressing nationally-significant cyber incidents," he added.
See more about the FBI's role below and see the full news release here.
Nathaniel Gleicher, head of cybersecurity strategy at Illumio and former cybercrime prosecutor at the Department of Justice and director of cybersecurity policy for the White House National Security Council, said the policy might seem procedural, "But it's a big deal to clearly lay out roles for law enforcement, DHS" and the intelligence community.
"But the most interesting part for me is the severity schema that they create for assessing the impact of cybersecurity incidents," he said.
We tend to have a hard time judging how serious intrusions are because there's no consistent framework to judge them. What's more serious — a breach that costs a company millions of dollars, a breach that exposes the personal information of thousands of people or a breach that exposes an organization to massive embarrassment? Without a single baseline, you'll get different organizations reacting in very different ways, which undermines our ability to mitigate and deter major intrusions.
This schema is only one way of judging this — from the perspective of the U.S. government — but having a framework begins to create that common baseline for judging future intrusions.
Using the framework included in the policy, Gleicher said the breach and subsequent leak of Democratic National Committee emails would likely be categorized a level three intrusion, "which is useful for putting it in perspective."
Original Post: July 26, 12:29 p.m.
As the nature and number of cyberattacks rise at an astonishing rate, lawmakers and security experts have criticized the administration for lacking a comprehensive policy for responding to these attacks. The White House responded to those criticisms on July 26 with Presidential Policy Directive 41: United States Cyber Incident Coordination.
"I am often asked, 'Who's responsible within the federal government for cybersecurity? Who in the government do I contact in the event of a cyber incident?'" Homeland Security Secretary Jeh Johnson said on the policy's release. "Today, President [Barack] Obama's [PPD-41] clarifies the answer to these questions."
PPD-41: United States Cyber Incident Coordination
The policy "sets forth principles governing the federal government's response to any cyber incident, whether involving government or private sector entities" and establishes the framework for how agencies should coordinate during "significant cyber incidents" affecting the government, private sector or international partners.
The document differentiates between general cyber incidents — an events that compromises data or networks — and significant incidents, which can cause "demonstrable harm to the national security interests, foreign relations or economy of the United States or to the public confidence, civil liberties or public health and safety of the American people."
The policy outlines exactly what the administration means by "response," which includes three main "lines of effort:" threat response, asset response and intelligence support and related activities. If the attack affects a federal agency, a fourth line of effort is added to "manage the effects of the cyber incident on its operations, customers and workforce."
"When a cyber incident affects a private entity, the federal government typically will not play a role in this line of effort, but it will remain cognizant of the affected entity's response activities," the policy states. "The relevant sector-specific agency (SSA) will generally coordinate the federal government's efforts to understand the potential business or operational impact of a cyber incident on private sector critical infrastructure."
The document goes into detail on each of these lines of effort, which will be coordinated at the highest level by the Cyber Response Group (CRG), part of the president's National Security Council.
When a significant event is identified, a Cyber Unified Coordination Group (UCG) will be established, made up of the affected agencies, members of the CRG and any relevant agencies for the sector being attacked — e.g., involving Health and Human Services in discussions around attacks on the health care sector.
Along with the affected agencies, the Department of Justice — and specifically the FBI and National Cyber Investigative Joint Task Force — will lead the threat response "in view of the fact that significant cyber incidents will often involve at least the possibility of a nation-state actor," according to the document.
DHS will be tapped to lead the asset response, while the Office of the Director of National Intelligence heads intelligence support through the Cyber Threat Intelligence Integration Center (CTIIC).
However, "The Cyber UCG is intended to result in unity of effort and not to alter agency authorities or leadership, oversight or command responsibilities," the policy states. "Unless mutually agreed upon between agency heads or their designees … federal departments and agencies will maintain operational control over their respective agency assets."
Finally, the directive looks to coordinate interaction with the public.
When a threat appears or attack occurs, companies and individuals shouldn't have to worry about which federal agency to contact. Instead, each agency will maintain a "fact sheet" detailing who they should contact and how they should proceed.
Lawmakers like Rep. Jim Langevin, D-R.I., acknowledged the policy as a good first step but urged Congress to follow up with the appropriate legislative support.
"The administration's efforts to institutionalize cybersecurity policies before the transition is to be commended; however, it is insufficient," said Langevin, who is a co-founder of the Congressional Cybersecurity Caucus. "Congress must ensure that appropriate resources are allocated to cybersecurity — from workforce development to retiring legacy systems — and ensure that the law keeps pace with the rapidly changing technology landscape."
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
