On July 26, 2016, President Obama issued a new Presidential Directive setting forth the framework for how the United States (US) federal government will respond to “cyber incidents,” whether involving government or private sector entities. The new directive (PPD-41):
- Outlines guiding principles governing the federal government’s response to “cyber incidents”;
- Sets forth the concurrent lines of effort federal agencies shall undertake in responding to any “cyber incident,” whether private or public;
- Identifies the ways the federal government will coordinate its activities in responding to “significant cyber incidents,” including the establishment of lead US federal agencies; and
- Requires the US Departments of Justice (DOJ) and Homeland Security (DHS) to maintain updated contact information for public use to assist entities impacted by “cyber incidents” in reporting those incidents to the proper authorities.
- Cyber Incident: PPD-41 defines “cyber incident” as an event “occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.”
- Significant Cyber Incident: PPD-41 defines a “significant cyber incident” as one that is “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”
In carrying out its incident response activities, the federal government is to be guided by the following principles:
- Shared Responsibility: Individuals, the private sector, and government agencies have a “shared vital interest and complementary roles and responsibilities” in protecting the US from malicious cyber activity and managing cyber incidents and their consequences.
- Risk-Based Response: The federal government will determine its response actions on an “assessment of the risks posed to an entity, our national security, foreign relations, the broader economy, public confidence, civil liberties, or the public health and safety of the American people.”
- Respecting Affected Entities: Federal government responders will “safeguard details of the incident,” to the extent permitted under law, as well as “privacy and civil liberties, and sensitive private sector information[.]” In the event a “significant” federal government interest is served by a public statement concerning the incident, federal responders are to coordinate their approach with the affected entity.
- Unity of Governmental Effort: The efforts of the various governmental entities must be coordinated to “achieve optimal results.” Therefore, whichever federal agency “first becomes aware of a cyber incident will rapidly notify other relevant” federal agencies in order to facilitate a unified response, and will coordinate with relevant state, local, tribal and territorial governments to coordinate the same.
- Enabling Restoration and Recovery: Federal response activities are to be conducted “in a manner to facilitate restoration and recovery of an entity that has experienced a cyber incident[.]”
Concurrent Lines of Effort
In responding to a cyber incident, federal agencies are required to take three “concurrent lines of effort:”
- Threat response;
- Asset response; and
- Intelligence support and related activities.
Where a federal agency is the affected entity, it shall undertake a fourth concurrent line of effort “to manage the effects of the cyber incident on its operations, customers and workforce.”
Threat response activities include:
- Conducting appropriate law enforcement and national security investigative activity at the affected entity’s site;
- Collecting evidence and gathering intelligence;
- Providing attribution;
- Linking related incidents;
- Identifying threat pursuit and disruption opportunities;
- Developing and executing courses of action to mitigate the immediate threat; and
- Facilitating information sharing and operational coordination.
Asset response activities include:
- Furnishing technical assistance to affected entities to protect their assets;
- Mitigating vulnerabilities;
- Identifying other entities that may be at risk;
- Assessing potential risks to sector; and
- Facilitating information sharing and operational coordination.
Intelligence Support and Related Activities
Intelligence support and related activities will facilitate:
- The building of “situational threat awareness and sharing of related intelligence;”
- The integrated analysis of threat trends and events;
- The identification of knowledge gaps; and
- The ability to degrade or mitigate adversary threat capabilities.
Impacted Government Agency
An affected federal agency will engage in a fourth concurrent line of effort to manage the impact of a cyber incident, which may include:
- Maintaining business or operational continuity;
- Addressing adverse financial impacts;
- Protecting privacy;
- Managing liability risks;
- Ensuring legal compliance;
- Communicating with affected individuals; and
- Dealing with external affairs.
Architecture of Federal Government Response Coordination For Significant Cyber Incidents
PPD-41 directs the federal government to coordinate its activities in response to a “significant cyber incident” in three ways: (1) National Policy Coordination; (2) National Operational Coordination; and (3) Field-Level Coordination.
National Policy Coordination
The National Security Staff’s Cyber Response Group (NSC CRG) will “coordinate the development and implementation” of the US “policy and strategy with respect to significant cyber incidents affecting the” US or “its interests abroad.
The NSC CRG is a White House led Assistant Secretary level interagency policy coordination group that coordinates policy related issues for the National Security Council and the Homeland Security Council review as outlined in Presidential Policy Directive-1.
National Operational Coordination
- Agency Enhanced Coordination Procedures: Each federal agency that regularly participates in the CRG shall “establish and follow enhanced coordination procedures as defined in the annex” to PPD-41 “in situations in which the demands of responding to a significant cyber incident exceed its standing capacity.”
- Cyber Unified Coordination Group: A Cyber Unified Coordination Group (UCG) will serve as the “primary method for coordinating between and among” federal agencies “in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts.” The Cyber UCG will be formed at the direction of the National Security Council when two or more federal agencies request its formation. A Cyber UCG will also be formed when a “significant cyber incident affects critical infrastructure owners and operators” identified by the DHS.
- Federal Lead Agencies: In order to ensure the Cyber UCG “achieves maximum effectiveness in coordinating responses to significant cyber incidents,” the following agencies will serve as federal lead agencies:
- Threat Response: The DOJ, acting through the FBI and National Cyber Investigative Task Force, will lead the government’s “threat response” activities.
- Asset Response: The DHS, acting through the National Cybersecurity and Communications Integration Center, will lead the government’s “asset response” activities.
- Intelligence Support: The Office of the Director of National Intelligence, through the Cyber Threat Intelligence Integration Center, will lead the government’s “intelligence support” activities.
Field-level representatives of the federal asset or threat response lead agencies “shall ensure that they effectively coordinate their activities within their respective lines of effort with each other and the affected entity.”
Unified Public Communications
PPD-41 requires the DHS and DOJ to “maintain and update as necessary a fact sheet outlining how private individuals and organizations can contact relevant” federal agencies about a cyber incident.
To read the full text of PPD-41, click here