Amid the federal investigation into the massive email leak from the Democratic National Convention, the White House issued guidance for the first time on how government agencies should respond to large-scale cyber incidents.
The Presidential Policy Directive on US Cyber Incident Coordination (PPD-41), which was several years in the making, provides a set of principles for responding to a significant cyber incident and defines specific cyber roles for federal agencies.
“To put it bluntly, we are in the midst of a revolution of the cyber threat, one that is growing more persistent, more diverse, more frequent and more dangerous every day,” White House counter-terrorism adviser Lisa Monaco told a cyber security conference in New York.
“Unless we act together – government, industry and citizens – we risk a world where malicious cyber activity could threaten our security and prosperity,” she said. “That is not a future we should accept.”
The Administration also released a common framework for grading the severity of a cyberattack. An incident is assigned a level of severity based on a six-level scale, zero through five. An incident that ranks at a level 3 or above is considered “significant,” triggering a federal response.
PPD-41 is specifically designed to address a “significant” cyber incident, which is defined as “one that either singularly or as part of a group of related incidents is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”
Secretary of Homeland Security Jeh Johnson said the directive answers the question of who to call and who is responsible within the federal government in the event of a cyber incident. Until now, there was no clear roadmap for coordinating a federal response to significant attacks.
“Today’s PPD is one more crucial step by the Obama Administration to improve our nation’s cybersecurity,” said Johnson. “It not only clarifies the roles of the various government actors involved in cybersecurity, it re-enforces the reality that cybersecurity must be a partnership between the government and the private sector, and among the law enforcement, homeland security and intelligence components of the government.”
The Department of Homeland Security (DHS) will act as the point of contact and main coordinator for asset response. Specifically, DHS will lead the effort to write the National Cyber Incident Response Plan, which will set out how the federal government will work with the private sector and state, local, and territorial governments in responding to a significant cyber incident.
The Department of Justice, acting through the FBI and the National Cyber Investigative Joint Task Force, will lead threat response activities.
“PPD-41 codifies the essential role that the FBI plays in cyber incident response, recognizing its unique expertise, resources, and capabilities,” said FBI Assistant Director James Trainor, Cyber Division. “And as the Bureau continues evolving to keep pace with the cyber threat, the authorities contained in PPD-41 will allow us to help shape the nation’s strategy for addressing nationally-significant cyber incidents.”