US president Barack Obama approved on Tuesday the Presidential Policy Directive on United States Cyber Incident Coordination (PPD-41).
What’s the PPD-41 all about?
It’s not a secret that the US has been faced with managing increasingly significant cyber incidents affecting both the private sector and Federal government, and the private sector has been clamouring for more clarity and guidance about the Federal government’s roles and responsibilities.
The PPD-41 is especially geared towards defining the Federal government’s response to “significant” cyber incidents, i.e. incidents that can “result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”
The directive is based on five principles that will guide the government during any cyber incident response:
- Shared responsibility (between individuals, the private sector, and government agencies)
- Risk-based response
- Respect of affected entities (both their privacy and civil liberties)
- Unity of effort (whichever agency first becomes aware of a cyber incident notifies the others, and then a choice is made as to which one will respond to that particular incident), and
- Enabling restoration and recovery (be mindful of the need of the affected entity to return to normal operations as quickly as possible).
But it is the “unity of effort” and “shared responsibility” principles that are most covered with this directive, as it essentially defines how the various agencies are expected to work together when responding to such incidents.
For example, it defines that “Departments of Homeland Security and Justice shall maintain and update as necessary a fact sheet outlining how private individuals and organizations can contact relevant Federal agencies about a cyber incident.”
Or, that “the Department of Justice, acting through the FBI and the National Cyber Investigative Joint Task Force, shall be the Federal lead agency for threat response activities,” and “the Department of Homeland Security, acting through the National Cybersecurity and Communications Integration Center, shall be the Federal lead agency for asset response activities.”
More details about the directive can also be found in this fact sheet.
Why is the directive a good idea?
“It may seem procedural, but it’s a big deal to clearly lay out roles for law enforcement, DHS, and the IC – that will make responding to breaches smoother and faster. It’s not easy to work through dividing responsibilities like this, so it’s great that they got it out the door,” Nathaniel Gleicher, Head of Cybersecurity Strategy at Illumio, commented the release of the directive for Help Net Security.
“But the most interesting part for me is the severity schema that they create for assessing the impact of cybersecurity incidents,” he pointed out.
“We tend to have a hard time judging how serious intrusions are because there’s no consistent framework to judge them. What’s more serious – a breach that costs a company millions of dollars, a breach that exposes the personal information of thousands of people, or a breach that exposes an organization to massive embarrassment? Without a single baseline, you’ll get different organizations reacting in very different ways, which undermines our ability to mitigate and deter major intrusions.”
“This schema is only one way of judging this – from the perspective of the US government – but having a framework begins to create that common baseline for judging future intrusions,” he noted. “Depending on how the facts play out, the DNC hack is probably a level 3 intrusion on the schema. Which is useful for putting it in perspective.”
UPDATE (29 July 2016): The DHS has released guidelines on when, what, and how to report a cyber incident to the federal government. The document also includes points of contact for doing that.