The Department of Homeland Security and its federal partners stand ready to defend against a major cyberattack by employing the Obama administration’s new cyber incident response plan, senior DHS official Phyllis Schneck told CyberScoop.
“Our interagency relationships are I think the best they’ve ever been,” Schneck said, pushing back in a recent interview against criticism of the federal response schema laid out by the Obama administration this year.
Schneck, the DHS’ deputy undersecretary for cybersecurity and communications, said there was “open communication, 24/7” about incidents and mitigation strategy between the DHS National Cybersecurity and Communications Integration Center, NCCIC; the FBI-led National Cyber Investigative Joint Task Force; and the NSA Threat Operations Center, NTOC.
“I have seen those relationships only get stronger,” she added.
“We are the firefighter here,” she said, characterizing DHS’ “asset response” responsibilities under Presidential Policy Directive 41, signed in July. “Our job is to put the fire out, make sure it doesn’t spread” — by sharing information about attacks.
Threat response — the cop to DHS’ firefighter — is down to the Justice Department. The nation’s intelligence agencies will provide “intelligence support and related activities.”
PPD 41 and the associated National Cyber Incident Response Plan are designed to map out the U.S response to a major cyberattack, like the one some fear might be planned for Election Day.
The definition it outlines of a “significant cyber incident” is one “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”
“It’s very, very broad,” said Schneck. She stressed that she would not be the one to make the decision, but suggested that the massive hack of the U.S. Office of Personnel Management — in which Chinese cyberspies stole the personal information and fingerprint of more than 20 million applicants for federal security clearances — would easily qualify.
“I hope that the bar for this is lower than that,” she said.
If there is a “significant” incident, she said DHS would find out about it through the NCCIC — which has representatives of private sector groups of telecom and internet providers sitting in its 24-hour watch center.
At least one major news media company has reached out to DHS ahead of the election, amid concern that, unable to actually influence the vote, foreign hackers might resort to spreading disinformation and trying to silence or crash other news outlets.
Such an incident could trigger the PPD 41 provision for a “Significant cyber incident” — and the stand up of a special interagency “Cyber Unified Coordination Group” in the White House.
But for lower level incidents, “DHS is the team captain out of the NCCIC,” Schneck said, and could “definitely leverage extra personnel from Cyber Command and DoD and … other government agencies.”
The legal authorities under which military or intelligence personnel might work alongside civilian federal responders from DHS are “being worked out,” she said as the response structure outlined in PDD 41 and the NCIRP was built out.
“We’re at a point where if we ever needed any of this … we would have it,” she said.
She said flyaway response teams could be “put together in minutes … [and] leave in hours.”
“Depending on location, we can send a team in — ours experts working alongside the private sector responders,” she said.