President Barack Obama announced new measures Tuesday to clarify policies and procedures on how the government should both prepare and respond to various classes of cyberattacks.
In a newly approved presidential policy directive, the White House is adding structure and further formalizing exactly how, when and who in the federal government must be involved in mitigating and responding to a specific cyberattack. Additionally, the PPD looks to define what qualifies as a “significant attack” in comparison to “steady-state incidents,” which can be otherwise understood as digital espionage efforts.
“To date, we’ve had a hard time judging the seriousness of intrusions — we often jump to worst-case scenarios or minimize any impact,” Nathaniel Gleicher, a former National Security Council director for cybersecurity policy, told FedScoop. “A single framework will help to normalize these assessments, ensuring we respond appropriately when breaches occur,” he said.
The policy sets five levels by which the government can classify an attack, looking at how an incident can negatively impact foreign relations, national security or economic interests, civil liberties, or public safety.
While the PPD largely emphasizes existing procedures, it also introduces jurisdictional boundaries for the FBI, Department of Homeland Security and Office of the Director of National Intelligence to follow when it comes to relevant investigative cybersecurity cases and based upon details of the incident.
“This new policy,” FBI Cyber Division Assistant Director James Trainor said in a statement, “[will] enhance the continuing efforts of the FBI — in conjunction with its partners — to protect the American public, businesses, organizations, and the economy and security of our nation from the wide range of cyber actors who threaten us.”
Under the White House’s PPD, the DHS will be responsible for “asset response,” a type of cyber mitigation operation that “involves helping the victim find the bad actor on its system, repair its system, patching the vulnerability, reducing the risks of future incidents, and preventing the incident from spreading to others,” a statement from DHS Secretary Jeh Johnson reads.
Private entities, and local and state governments also have a role to play in preparing a defensive front and helping streamline investigations, but the lion’s share of responsibility will fall to the federal government in cases of “significant [cyber] attacks.” DHS will further formalize the private sphere’s role by helping write the eventual National Cyber Incident Response Plan.
“By integrating cyber and traditional preparedness efforts, the nation will be ready to manage incidents that include both cyber and physical effects,” Obama writes.
Release of the PPD comes as numerous government agencies are investigating the hack of emails connected to the Democratic National Committee, which has been tied to the Russian government and lead to the resignation of DNC Chief Debbie Wasserman Schultz.
“I’d say the DNC intrusion — if it was the work of a nation state — probably meets the standard for a ‘significant cyber incident.’ Depending on the facts, it could fit a few of the requirements, but most obviously, it’s ‘likely to result in demonstrable harm to … the public confidence.’ That’s further validation for the seriousness of the breach and the importance of response and mitigation,” said Gleicher, who now serves as chief of cybersecurity strategy at Silicon Valley-based data security startup Illumio.
“This is what cyberwar looks like now. Nobody’s dying. But cyber enables these kind of information operations in unique ways. Trying to mess with the election is not like stealing plans to an F-35. It’s much worse,” Paul Rosenzweig, a former DHS official and now executive at Red Branch Consulting, told Politico.
The directive comes as part of the administration’s Cybersecurity National Action Plan. Released in February, it outlined the short- and long-term plans aimed at strengthening networks inside and outside government against hackers, protecting privacy and raising Americans’ awareness of digital security measures.