Last week, President Obama issued a new Presidential Policy Directive (PPD) establishing principles to govern the federal government’s response to cyber incidents, “whether involving government or private sector entities.” Titled “PPD-41,” the document also designates the lead federal agencies for so-called significant cyber incidents and creates an “architecture for coordinating the broader Federal Government response” to significant cyber incidents that is further described in an attached Annex.
PPD-41 defines a cyber incident as:
An event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon. [A] cyber incident may include a vulnerability in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.
A “significant cyber incident” is one that is “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”
Among other things, the PPD sets forth five principles of incident response to guide the federal government’s response to cyber incidents. The principles are
- Shared Responsibility. This principle provides that cybersecurity is a “shared and vital interest” between individuals, the private sector, and the federal government.
- Risk-Based Response. The federal government’s response to a cyber incident will be based on an assessment of the risks posed to an entity, national security, foreign relations, the broader economy, public confidence, civil liberties, or the public health and safety of the American people.
- Respecting Affected Entities. This principle provides that the government will protect the confidentiality of details of the incident and generally will defer to affected entities with regard to the provision of notifications.
- Unity of Governmental Effort. This principle emphasizes the importance of coordination among government entities in responding to a cyber incident. It also provides that “[w]hichever Federal agency first becomes aware of a cyber incident will rapidly notify other relevant Federal agencies in order to facilitate a unified Federal response and ensure that the right combination of agencies responds to a particular incident.”
- Enabling Restoration and Recovery. Finally, the PPD states that response activities must balance investigative and national security requirements, public health and safety, and the need to restore normal operations quickly in order to facilitate an entity’s restoration and recovery.
The PPD also states that the federal government’s response to a cyber incident will generally consist of three concurrent lines of effort: threat response, which includes activities such as investigation and attribution; asset response, which includes activities such as providing technical assistance and facilitating information sharing; and intelligence support, which includes activities such as the building of situational threat awareness and sharing of threat intelligence. For significant cyber incidents, these lines of effort will be led by the Department of Justice (FBI/ National Cyber Investigative Joint Task Force), Department of Homeland Security (National Cybersecurity and Communications Integration Center), and the Office of the Director of National Intelligence (Cyber Threat Intelligence Integration Center), respectively.