Don’t stop thinking about tomorrow
On Tuesday, the White House issued its Presidential Policy Directive-41 (PPD-41), or “United States Cyber Incident Coordination” plan. The PPD follows on the heels of the Cybersecurity National Action Plan, the Obama administration’s attempt to button up cybersecurity efforts in the face of growing threats against U.S. entities and some government breaches of impressive proportions. Both plans demonstrate awareness by the Federal Government that “cyber incidents are a fact of contemporary life,” and an acknowledgement that more needs to be done to protect national interests.
The PPD-41 is a nod to a formal incident response plan, though lacking the kind of specifics one would expect to find in a usable, effective IR plan—organizational charts, reporting structures, communications guidelines, containment strategies, etc. Rather, PPD-41 outlines which agency will be involved in a given general category of incident response. But to understand who does what, one must first define “incident.” The press release about PPD-41 describes a cyber incident as, “An event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.”
A significant cyber incident, on the other hand, is, “A cyber incident that is (or group of related cyber incidents that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” It’s true: destroying public confidence, civil liberties, or public health and safety is significantly bad.
A complementary Cyber Incident Severity Schema was created to help further categorize incidents and help agencies determine appropriate courses of action. The press release describes the schema as “a common framework for evaluating and assessing cyber incidents to ensure that all departments and agencies have a common view.“
If it takes just a little while
Clarification on and agreement of terminology allows the government to decide which department takes action during an incident, when. It also lets private sector individuals or corporations know what to expect if or when local, state, or federal resources become involved. This is necessary because, over the years, the interplay between private and public sector has been a bone of contention; the government has touted “collaboration,” but by some private sector security practitioners’ assessments, the sharing is a one-way street. Government is happy to assist during/after an incident when called upon (if appropriate), but never is the “secret sauce” of the investigation revealed. The tactics and techniques used by the government to hunt down cybercriminals are kept under a veil of secrecy, even though it’s been fairly well proven that cyber threat information sharing is a benefit to everyone and only improves organizations’ security postures in the long term.
While the PPD-41 doesn’t go so far as to offer up the tactics and techniques that will be used, it does outline a shared responsibility model for responding to security incidents involving the public sector. (N.B. The plan also explains a coordination of efforts when government alone is affected.) Not part of the PPD-41 but an ongoing effort nonetheless is a project between the DHS, private sector organizations, and other federal departments and agencies to develop a “National Cyber Incident Response Plan (NCIRP),” which will establish a framework for mitigating, responding to, and recovering from cyber incidents. Though the latter project is still in the works (projected completion date: fall 2016), tying these various initiatives, directives, and plans together does suggest a willingness on the part of the Federal Government to concede that they need to play more nicely in the sandbox with private sector peers if they’re going to stop some of the more destructive and/or embarrassing attacks.
Open your eyes and look at the day
Another key element of the PPD-41 is its guidance on three “Concurrent Lines of Effort,” and the corresponding agencies assigned to respond to the categories of cyber incidents. They are:
A fourth line of effort assures that incident response for a Federal agency will be managed by the affected agency, but stipulates that “When a cyber incident affects a private entity, the Federal Government typically will not play a role in this line of effort, but it will remain cognizant of the affected entity’s response activities, consistent with the principles above and in coordination with the affected entity.” So no stepping on private enterprises’ toes, which should be a relief to enterprise security practitioners.
You’ll see things in a different way
Laying out a plan on paper is a good first step, and the government has, as of late, produced a lot of paper about cybersecurity. The proof will be in the pudding, as the saying goes; how much will these plans and directives improve security, within government agencies and spilling over into the private sector? No one knows for sure. The hope, however, is that by putting time and effort into a plan and thinking through various scenarios, governmental security and incident response teams will be better equipped to deal with incidents as they arise. The key, however, will be in the follow-up to the plan. As with any planning, reviews, updates, refinement, and practice will be necessary to ensure the plan is current and actionable. The only good plan is one that can be executed when necessary. For certain, security incidents are on the horizon so the government will have ample opportunity to test the PPD-41 soon enough.