Presidential Policy Directive PPD-41 Describes a National Cyber Incident Response Plan
The U.S. Government finally has its own incident response plan. In reality it is more like the framework for the development of an incident response plan (IRP); but it is a good high level start. IRP for a nation is more complex than IRP for an organization; but Obama’s new Presidential Policy Directive on Cyber Incident Coordination (PPD-41), approved on Tuesday, begins to define what constitutes a cyber incident, and who is responsible for responding to that incident.
The first problem is to define whether an incident requires a national response. Here the PPD describes a cyber incident severity schema specifying six color-coded levels from zero to five. Level zero, colored white, is an unsubstantiated or inconsequential event. Incidents then rise in severity through level one (green): unlikely to impact public health or national security; level two (yellow): may impact public health or national security; level three (orange): likely to result in a demonstrable impact to public health or national security; level four (red): likely to result in a significant impact to public health or national security; and finally black: poses an imminent threat to the provision of wide-scale critical infrastructure services. Each of these levels is given additional definition, including economic effects, foreign relations, national stability, etcetera; but the point to note is that an incident ranking level three and upwards is categorized as ‘significant’ and will trigger a national response.
This is no different in concept to an organizational IRP. You don’t trigger the plan because a system was infected with common malware — but you do trigger it for a major incident involving the exfiltration of PII or PHI.
The PPD accepts that significant incidents involving private companies are likely to have different response priorities to national governments. Here it stresses that government agencies will be cognizant of private concerns. “To the extent permitted under law,” says the PPD, “Federal Government responders will safeguard details of the incident, as well as privacy and civil liberties, and sensitive private sector information, and generally will defer to affected entities in notifying other affected private sector entities and the public.”
Once an IRP is triggered, it is essential for everyone to know who is responsible for what aspect of the plan. Obama’s PPD specifies this. It defines three separate incident categories that require a response from a different branch of government. These are ‘threat response’, ‘asset response’ and ‘intelligence related support’.
Bearing in mind that this only happens for ‘significant cyber incidents’ (level three and above) it is not surprising that the FBI is the lead agency for threat response since, says the PPD, “significant cyber incidents will often involve at least the possibility of a nation-state actor or have some other national security nexus.”
The National Cybersecurity and Communications Integration Center of the DHS takes responsibility for ‘assets response’, while the Office of the Director of National Intelligence is ultimately responsible for ‘intelligence support and related activities’. These agencies are not expected to undertake the entire response activity themselves, but for coordinating any multi-agency response.
One noticeable aspect of this PPD is that the level of highest severity is not classified as an ‘act of war’. This would be difficult and potentially dangerous; and would be an emotional rather than a logical thing to do. If you can prove beyond a doubt that the Chinese were behind the OPM hack, or the Russians were behind the DNC breach, or North Korea behind the Sony compromise, would you then be forced to call them Acts of War? And how would you have to respond to an act of war?
As it is, the PPD makes it clear that threat response can include “identifying threat pursuit and disruption opportunities”; while intelligence support can include “the ability to degrade or mitigate adversary threat capabilities.” There is no need to define an ‘act or war’ classification since US agencies already have the authority to operate abroad in the face of a ‘significant incident’.
Obama’s PPD is, of necessity, just a framework. It has not yet been tested in fire. This will happen soon enough, and the details underlying this framework will begin to be filled in.