TheWhite House released a new policy directive July 26 that will guide how thefederal government coordinates with the private sector in responding tosignificant cyber incidents, an announcement that came just days after hackersreleased thousands of emails from the Democratic National Committee.
Theplan could improve responses to potential cyberattacks on the financial sector,federal agencies and physical infrastructure such as the electric grid. Under thedirective, a significant cyber incident is one that is likely to harm nationalsecurity interests, foreign relations, the U.S. economy, and the public healthand safety of Americans.
Thepolicy outlines five principles for incident response, including sharedresponsibility among individuals, government agencies and the private sector inprotecting the U.S. from malicious cyber activity and rapid notification ofother federal agencies when one agency becomes aware of a cyber incident.
Federalresponse activities are organized into three "lines of effort"coordinated by different lead agencies. The U.S. Department of Justice willlead the threat response line, which includes law enforcement and nationalsecurity investigation activities. The U.S. Department of Homeland Securitywill be in charge of asset response activities, including providing technicalassistance to mitigate vulnerabilities and reduce the impact of a cyberincident. Lastly, the Office of the Director of National Intelligence willmanage the intelligence support and related activities line, which will helpwith intelligence collection, investigative support and potential mitigation ofadversary threat capabilities.
Thepolicy directive establishes a three-tiered "coordinationarchitecture" for handling significant cyber incidents. One tier pertainsto national policy and will task the National Security Council-chaired CyberResponse Group with leading development and implementing U.S. policies andstrategy on major cyber incidents. The group includes participants from the departmentsof State, Treasury, Defense, Justice, Commerce, Energy and Homeland Security,as well as the Central Intelligence Agency, Federal Bureau of Investigation andthe National Security Agency.
Thesecond tier focuses on operational responses to cyber incidents. That tierincludes creation of a Unified Coordination Group made up of federal, state,local and tribal agencies and private entities that will work together onincident response, including rapid information sharing among group members.
Inthe third and final tier, the president's new directive requires the leadagencies for each "line of effort" to coordinate with each other andthe affected entity in a cyber incident.
TheWhite House said its new policy will integrate U.S. cyber incident coordinationwith existing national preparedness policies. That approach will help thecountry be ready to manage events with both cyber and physical implications,such as a power outage from malicious cyber activity, the administration said.
Thepolicy directive provides "important clarity" on the federalgovernment's role and responsibilities in the event of a cyber incident, saidScott Aaronson, executive director for security and business continuity at theEdison Electric Institute, which represents investor-owned utilities.
Butsome industry experts say the private sector should be more involved."This directive is very focused on the federal government response, butfalls short in recognizing that most critical infrastructure is owned andoperated by the private sector," said Brian Harrell, a security consultantwith Navigant Consulting Inc. and a former security expert for the NorthAmerican Electric Reliability Corp. "It is laudable to have your federalresponse 'ducks in a row,' but any plan should also recognize private sectorefforts and the assistance required during a catastrophic attack."
Harrellsaid utilities need additional security clearances and better engagement withNERC's Electricity Information Sharing and Analysis Center, with the federalgovernment often having intelligence that can benefit critical infrastructureowners and operators and possibly mitigate or stop a cyber or physical attack.
TheObama administration has stepped up its focus on cybersecurity in the pastyear. In February, the White House released a national cybersecurity that, among other things,sought to enhance protections for critical infrastructure and form a nongovernmentalcommission to recommend steps for strengthening private and public sectorcybersecurity. The efforts come amid several high-profile breaches in recentyears, including a cyberattack that caused a temporary power in Ukraine in December 2015 anddenial-of-service attacks on the U.S. financial sector and a dam in the NewYork City area.
Morerecently, Wikileaks on July 22 releasedthousands of emails and attachments from top Democratic National Committeeofficials that included communication on the 2016 presidential elections.