Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
New White House Policy Defines Coordination of Cyber Response
Directive Issuance Comes as Russians Suspected in Meddling in U.S. ElectionsThe Obama administration is implementing a presidential policy directive designed to coordinate response to a large-scale cyber incident.
"This directive establishes a clear framework to coordinate the government's response to [significant] incidents," Lisa Monaco, assistant to the president for homeland security and counter terrorism, told the International Conference on Cybersecurity, that met in New York on July 26. "It spells out which federal agencies are responsible. And it will help answer a question heard too often from corporations and citizens alike - 'In the wake of an attack, who do I call for help?'"
The administration defines a significant cyber incident as one that either on its own, or as part of a group of related incidents, would likely result in demonstrable harm to national security interests, foreign relations, the economy of the United States, public confidence, civil liberties or public health and safety of the American people.
Issuance of the directive comes as some highly regarded cyber and policy experts suspect the Russian government could be meddling in the U.S. presidential election by hacking and then leaking emails from Democratic National Committee computers (see How Should U.S. Respond If Russians Hacked DNC System? and DNC Breach More Severe Than First Believed).
Five Guiding Principles
According to a White House fact sheet, the directive outlines five principles that will guide the government during a cyber incident response:
- Shared Responsibility: Individuals, the private sector and government agencies have a shared vital interest and complementary roles and responsibilities in protecting them from malicious cyber activity and managing cyber incidents and their consequences.
- Risk-Based Response: The federal government will determine its response actions and resource needs based on an assessment of the risks posed to an entity, national security interests, foreign relations or economy of the United States or to the public confidence, civil liberties or public health and safety of the American people.
- Respecting Affected Entities: Federal government responders will safeguard details of the incident, as well as related privacy and civil liberties and sensitive private sector information.
- Unity of Effort: Whichever federal agency first becomes aware of a cyber incident will rapidly notify other relevant agencies in order to facilitate a unified federal response and ensure that the right combination of agencies responds to a particular incident.
- Enabling Restoration and Recovery: Federal response activities will be conducted in a manner to expedite restoration and recovery of an entity that has experienced a cyber incident, balancing investigative and national security requirements with the need to return to normal operations as quickly as possible.
Applying Lessons Learned
In explaining why the directive is needed, the White House says the United States has been faced with managing increasingly significant cyber incidents that affect the federal government and private sector.
"We have applied the lessons learned from these events, as well as our experience in other areas such as counterterrorism and disaster response," a White House statement says. "That experience has allowed us to hone our approach but also demonstrated that significant cyber incidents demand a more coordinated, integrated and structured response. We have also heard from the private sector the need to provide clarity and guidance about the federal government's roles and responsibilities."
As part of the directive, the administration released a cyber incident severity schema that establishes a common framework within the government to evaluate and assess the severity of cyber incidents and help identify significant cyber incidents in which the directive coordination procedures would apply.
According to the White House, the schema describes a cyber incident's severity from a national perspective, defining six levels, zero through five, in ascending order of severity. Each level describes the incident's potential to affect public health or safety, national security, economic security, foreign relations, civil liberties or public confidence. An incident that ranks at a level 3 or above on this schema is considered "significant" and will trigger application of the directive's coordination mechanisms.
Three Lines of Effort
The directive organizes federal response activities into three lines of effort - threat response, asset response and intelligence support activities - and establishes a federal lead agency for each.
"When a federal agency is a victim of a significant cyber incident, that agency will be the lead for this fourth line of effort," the White House statement says. "In the case of a private victim, the federal government typically will not play a role in this line of effort, but will remain cognizant of the victim's response activities consistent with these principles and coordinate with the victim."