The White House recently issued a Presidential Policy Directive (PPD) on United States Cyber Incident Coordination, setting out principles governing the federal government’s response to cyber incidents, whether involving government or private sector entities. A White House fact sheet states that the new PPD "marks a major milestone in codifying the policy that governs the Federal government’s response to significant cyber incidents."
The PPD names the Department of Justice, acting through the Federal Bureau of Investigation, as the federal lead agency for threat response activities. The PPD also requires the DOJ and Department of Homeland Security to maintain updated contact information for public use to assist entities affected by cyber incidents in reporting those incidents to the proper authorities.
Cyber incidents. The PPD defines a cyber incident as an event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or the information in those systems. A significant cyber incident is one likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.
Concurrent lines of effort. In responding to any cyber incident, federal agencies must undertake three concurrent lines of effort: threat response; asset response; and intelligence support and related activities.
| 1. |
Threat response activities include conducting appropriate law enforcement and national security investigative activity at the affected entity’s site; collecting evidence and gathering intelligence; providing attribution; linking related incidents; identifying additional affected entities; identifying threat pursuit and disruption opportunities; developing and executing courses of action to mitigate the immediate threat; and facilitating information sharing and operational coordination with asset response.
|
| 2. |
Asset response activities include providing technical assistance to affected entities; identifying other entities that may be compromised; assessing potential risks to the sector or region; facilitating information sharing and operational coordination with threat response; and providing guidance on how best to utilize federal resources.
|
| 3. |
Intelligence support and related activities facilitate: the building of situational threat awareness and sharing of related intelligence; the integrated analysis of threat trends and events; the identification of knowledge gaps; and the ability to degrade or mitigate adversary threat capabilities.
|
In addition, the PPD stated that when a federal agency is an affected entity, it will undertake a fourth concurrent line of effort to manage the effects of the cyber incident on its operations, customers, and workforce.
Response architecture. In order to respond effectively to significant cyber incidents, the federal government will coordinate its activities in three ways: national policy coordination, national operational coordination, and federal lead agencies.
| 1. |
A Cyber Response Group (CRG) will coordinate the development and implementation of the federal government’s policies, strategies, and procedures for responding to significant cyber incidents.
|
| 2. |
Each agency participating in the CRG will establish and follow enhanced coordination procedures as defined in the annex to this PPD in situations in which the demands of responding to a significant cyber incident exceed its standing capacity. A Cyber Unified Coordination Group will serve as the primary method for coordinating among federal agencies in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts. The FBI will be the federal lead agency for threat response activities. Homeland Security will be the lead agency for asset response activities. The Office of the Director of National Intelligence will be the lead agency for intelligence support and related activities.
|
| 3. |
Field-level representatives of the lead agencies will ensure that they effectively coordinate their activities.
|
Within 180 days of the date of the PPD, Homeland Security must submit a national cyber incident response plan to address cybersecurity risks to critical infrastructure to the President. The PPD notes that this policy complements and builds upon PPD-8 on National Preparedness of March 30, 2011. By integrating cyber and traditional preparedness efforts, the PPD states, the nation will be ready to manage incidents that include both cyber and physical effects.
FSR response. A Financial Services Roundtable press release stated that the PPD "has the potential to clarify roles and responsibilities while improving coordination before and during a cyber incident." Chris Feeney, President of BITS, FSR’s Cyber and Technology Policy division, said, "Ensuring the private sector and the government clearly understand roles and responsibilities in advance of a cyber incident is critical in ensuring consumers are protected."
For more information about cybersecurity in the banking and finance industry, subscribe to the Banking and Finance Law Daily.
