Lance Bellers - Fotolia
A new White House directive aims to make clear the responsibilities of each federal agency in the event of a cyberattack and create a rating system to determine the severity of an attack.
The Presidential Policy Directive (PPD) on United States Cyber Incident Coordination aims to clarify the federal cybersecurity incident response plan, ensuring understanding of which agency takes the lead in certain situations and making cooperation between agencies more efficient, but also to differentiate "between significant cyberincidents and steady-state incidents, and applying the PPD's guidance primarily to significant incidents."
Ed Hammersla, chief strategy officer for Forcepoint LLC, based in Austin, Texas, said he "applauds the White House's leadership in cybersecurity."
"This guidance reflects the recognition of both the potential severity of a major cybersecurity event and the day-to-day importance of cybersecurity in our daily lives. A top-level plan coordinating all federal actions is an absolute necessity in 2016," Hammersla told SearchSecurity. "There are many ways they could have divided responsibility; this plan is a great start. What's most important is that they have published a plan for everyone to follow. The next step will be to see how the plan works, both in exercise scenarios and real life, so it can be refined."
The directive outlines five federal cybersecurity incident response principles that aim to promote a cooperative, risk-based response that protects sensitive information, ensures the right agencies are working together, and facilitates quick restoration and recovery from a cyberincident.
The White House expects agencies to follow these five principles, but makes it clear these procedures are designed for response to a significant cyberincident. In order to identify if an incident meets this threshold, the White House has also created a cyberincident severity schema, which rates an incident on a scale from zero (low) to five (emergency). According to this schema, the federal cybersecurity directive wouldn't take effect until an incident rated level three, defined as a high-level threat that is "likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties or public confidence."
The law enforcement investigation, attribution and pursuit of the threat actor of a cyberincident will be the responsibility of the Department of Justice, acting through the FBI and the National Cyber Investigative Joint Task Force. Determining the risk profile for an incident, mitigating vulnerabilities and guiding other potential targets will be up to the Department of Homeland Security, acting through the National Cybersecurity and Communications Integration Center. Intelligence collection in support of investigations and analysis of threat trends and events to identify knowledge gaps will be the duty of the Office of the Director of National Intelligence, acting through the Cyber Threat Intelligence Integration Center.
John Dickson, former U.S. Air Force CERT and principal of Denim Group Ltd., based in San Antonio, said this organization of responsibility is likely to change.
"I think that the way the responsibility for cyberattacks has been divided is a great start, but will likely heavily evolve over time," Dickson said. "It provides clarity and will eliminate some of the inevitable interagency friction that arises when an event happens in the executive branch. The bulk of resources in the cybersecurity realm still live at the National Security Agency, and I suspect that reality will have to be addressed more concretely going forward."
Timothy Edgar, academic director for law and policy, and executive master in cybersecurity at Brown University, said the plan was useful, but criticized the value of the rating schema.
"The responsibilities are divided in a sensible way, underscoring that no one department or agency can be said to be in charge of cybersecurity as a whole," Edgar said. "Dividing cybersecurity incidents into levels is of limited use. Each cyberincident is unique. We should spend very little, if any, time or energy worrying about whether an incident is a three or a five, and concentrate on what to do to make our computer systems more secure."
Learn more about what CISO thinks should be on the enterprise cybersecurity plans for 2018
Find out how your enterprise can learn from federal cybersecurity problems.
Get info on how to leverage government cybersecurity programs.