Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

New Presidential Policy Directive Details U.S. Cyber Incident Response

White House

Presidential Policy Directive PPD-41 Describes a National Cyber Incident Response Plan

White House

Presidential Policy Directive PPD-41 Describes a National Cyber Incident Response Plan

The U.S. Government finally has its own incident response plan. In reality it is more like the framework for the development of an incident response plan (IRP); but it is a good high level start. IRP for a nation is more complex than IRP for an organization; but Obama’s new Presidential Policy Directive on Cyber Incident Coordination (PPD-41), approved on Tuesday, begins to define what constitutes a cyber incident, and who is responsible for responding to that incident.

The first problem is to define whether an incident requires a national response. Here the PPD describes a cyber incident severity schema specifying six color-coded levels from zero to five. Level zero, colored white, is an unsubstantiated or inconsequential event. Incidents then rise in severity through level one (green): unlikely to impact public health or national security; level two (yellow): may impact public health or national security; level three (orange): likely to result in a demonstrable impact to public health or national security; level four (red): likely to result in a significant impact to public health or national security; and finally black: poses an imminent threat to the provision of wide-scale critical infrastructure services. Each of these levels is given additional definition, including economic effects, foreign relations, national stability, etcetera; but the point to note is that an incident ranking level three and upwards is categorized as ‘significant’ and will trigger a national response.

This is no different in concept to an organizational IRP. You don’t trigger the plan because a system was infected with common malware — but you do trigger it for a major incident involving the exfiltration of PII or PHI. 

The PPD accepts that significant incidents involving private companies are likely to have different response priorities to national governments. Here it stresses that government agencies will be cognizant of private concerns. “To the extent permitted under law,” says the PPD, “Federal Government responders will safeguard details of the incident, as well as privacy and civil liberties, and sensitive private sector information, and generally will defer to affected entities in notifying other affected private sector entities and the public.”

Once an IRP is triggered, it is essential for everyone to know who is responsible for what aspect of the plan. Obama’s PPD specifies this. It defines three separate incident categories that require a response from a different branch of government. These are ‘threat response’, ‘asset response’ and ‘intelligence related support’.

Bearing in mind that this only happens for ‘significant cyber incidents’ (level three and above) it is not surprising that the FBI is the lead agency for threat response since, says the PPD, “significant cyber incidents will often involve at least the possibility of a nation-state actor or have some other national security nexus.”

The National Cybersecurity and Communications Integration Center of the DHS takes responsibility for ‘assets response’, while the Office of the Director of National Intelligence is ultimately responsible for ‘intelligence support and related activities’. These agencies are not expected to undertake the entire response activity themselves, but for coordinating any multi-agency response.

Advertisement. Scroll to continue reading.

One noticeable aspect of this PPD is that the level of highest severity is not classified as an ‘act of war’. This would be difficult and potentially dangerous; and would be an emotional rather than a logical thing to do. If you can prove beyond a doubt that the Chinese were behind the OPM hack, or the Russians were behind the DNC breach, or North Korea behind the Sony compromise, would you then be forced to call them Acts of War? And how would you have to respond to an act of war?

As it is, the PPD makes it clear that threat response can include “identifying threat pursuit and disruption opportunities”; while intelligence support can include “the ability to degrade or mitigate adversary threat capabilities.” There is no need to define an ‘act or war’ classification since US agencies already have the authority to operate abroad in the face of a ‘significant incident’.

Obama’s PPD is, of necessity, just a framework. It has not yet been tested in fire. This will happen soon enough, and the details underlying this framework will begin to be filled in.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.