President Barack Obama Wednesday signed a policy on Cyber Incident Coordination called Presidential Policy Directive, or PPD, 41. This document outlines the federal government’s roles and approach for responding to significant cyber incidents.
“The PPD spells out the lines of responsibility within the federal government for responses to a significant cyber incident, and specifies who to contact in the government in the event of an incident,” said Department of Homeland Security (DHS) Secretary Jeh C. Johnson. “The PPD delineates between ‘threat responses’ and ‘asset responses.’ A ‘threat response’ essentially involves investigating the crime, so that we can hunt down the bad actor. As the PPD spells out, federal law enforcement is the key point of contact for a threat response. The Department of Homeland Security, through our cybersecurity experts at the National Cybersecurity and Communications Integration Center, will act as the point of contact and lead coordinator for asset response. ‘Asset response,’ like a threat response, is crucial. It involves helping the victim find the bad actor on its system, repair its system, patching the vulnerability, reducing the risks of future incidents, and preventing the incident from spreading to others.”
In terms of who does what, DHS officials Phyllis Schneck, deputy under secretary for cybersecurity and communications for the National Protection and Programs Directorate (NPPD) and Andy Ozment, assistant secretary for cybersecurity & communications at the Department of Homeland Security — US Department of Homeland Security, explained by offering an analogy.
Think of each cyber incident as the equivalent of a fire in the physical world, they said. When a building is on fire, you want both the firefighters and, if the fire is suspicious, the police to be present. DHS’ National Cybersecurity and Communications Integration Center (NCCIC) is like the firefighter, helping the owner of the building put out the fire and then rebuild it to be more fire-proof. The NCCIC also works on fire prevention, to prevent these incidents from happening in the first place or to keep fires from spreading to nearby structures. Our federal law enforcement agencies, including the U.S. Secret Service (USSS), U.S. Immigration and Customs Enforcement/Homeland Security Investigations (HSI), and the Federal Bureau of Investigations (FBI), are the equivalent of the police. They work to identify and catch the criminal that set the fire.
Within a Cyber Unified Coordination Group (UCG), the NCCIC will act as the lead federal government coordinator for “asset response” activities.
At the tactical level, the NCCIC will continue to help affected entities:
• Find the adversary on its systems
• Learn how the adversary broke in
• Remove the adversary from its systems
• Rebuild its systems to be more secure moving forward
At the strategic level, the NCCIC’s role will be analogous to the role of FEMA in physical events. The NCCIC will:
• Coordinate the provision of assistance from all government agencies to the victim
• Use anonymized information from the affected entity and share it broadly, so that other companies and governments can protect themselves
• Distribute threat indicators through its Automated Indicator Sharing system, which was established by the Congress in December 2015
• Identify other entities that may be particular at risk from this attack and alert them
DHS also plays an important role in “threat response” activities to cyber incidents. DHS law enforcement components— specifically, the USSS and HSI—will continue to conduct criminal investigations into cyber incidents in coordination with other law enforcement agencies. Within a Cyber UCG, these activities will coordinate with the National Cyber Investigative Joint Task Force, as the lead coordinator for “threat response” activities to a significant cyber incident.