On July 26, 2016, responding to rising cyber attacks and public criticism, the federal government issued a Presidential Policy Directive (PPD-41), to clarify the role of law enforcement agencies, to increase coordination across the government, and to divide cybersecurity efforts into three categories: asset response, threat response and intelligence support. PPD-41 outlines five key principles for the federal government and federal agencies in complying with the “whole-government” approach to cybersecurity. Although the initiative is directed at the federal government and sector-specific agencies, private entities are also likely to be affected and are instructed on the best practice for cyber incident reporting.
PPD-41 emphasizes unity in the government’s response to cybersecurity incidents, outlining five guiding principles of the directive. In structuring incident reporting and protection mechanisms, the government seeks to emphasize shared responsibility, increased awareness, risk-based responses, respect to entities affected by the incident, unity in governmental efforts in responding to an incident, and allowing effective restoration and recovery following a cybersecurity breach. In distributing the responsibilities of cybersecurity, the government delineates specific agencies to take charge of the three categories of protection. The Department of Homeland Security (DHS) will lead asset response activities and post-breach recovery needs, the Department of Justice (DOJ) in collaboration with the FBI will be in charge of threat response, and the Office of the Director of National Intelligence (ODNI) will head intelligence support.
Although the objectives of reforming cyber incident response efforts are clear, the actual procedures for implementing these objectives have yet to be determined. Initially, PPD-41 is directed at federal agencies, which have 90 days from the release of the directive to establish enhanced coordination procedures for dealing with cyber incidents that would exceed their current capacity, and to outline pathway of communicating with other agencies during a “significant cyber incident.”1 Agencies have 150 days to train the appropriate personnel in enforcing PPD-41, and 180 days to incorporate the principles of the policy into their cyber incident response procedures. Generally, agencies are required to enhance their internal cybersecurity coordination and to create their own cyber unified coordination group (UCG) to handle significant threats. The directive also instructs the DHS to lead in creating the National Cyber Incident Response Plan.
Alongside agency-specific reforms, PPD-41 creates a national Cyber Response Group (CRG), chaired by the Special Assistant to the President and Cybersecurity Coordinator who will work alongside senior representatives from the DHS, the Department of Defense, the DOJ, the Department of Commerce, the Department of State, the Department of Treasury, Department of Energy, the Joint Chiefs of Staff, ODNI, the FBI, the National Cyber Investigative Joint Task Force, the Central Intelligence Agency and the National Security Agency.
Private entities should keep an eye out for the procedures to be issued within the next six months and are advised to abide by the severity schema developed to categorize ranks of cybersecurity threats. While the government will generally not play a role in cyber incidents within a private entity, the sector-specific agency relevant to the entity will monitor the potential impact of the incident, assist the private entity in mitigating the security breach and enforce future preventative measures. To ease the oversight, the DHS and the DOJ are required to maintain and update a fact sheet of which agencies private individuals and organizations should contact in the event of an attack. Trained federal investigators and technical personnel are available to provide private entities with support in recovering from a cyber incident.
Following the signing of PPD-41, the DHS issued reporting guidelines for any entity – private or public – affected by a cyber attack. Victims of a breach should report it if the event results in a significant loss of data, affects a large group, results in unauthorized access to critical information technology systems, affects core government functions, or if it impacts national or economic security, public health, or safety. Depending on the type of breach, private entities should report a cyber incident to both the FBI and the DHS through either their local field officers, the Immigration and Customs Enforcement Office; the Secret Service; or the National Cybersecurity and Communications Integration Center.
1 A significant cyber incident is an “incident that is (or group of related cyber incidents that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” (https://www.whitehouse.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-incident)