President Barack Obama established a new Presidential Policy Directive on Tuesday, July 26, 2016 outlining the federal government’s response to future cyber attacks in both the public and private sector. Lisa Monaco, Homeland Security Advisor to President Obama for Homeland Security and Counter Terrorism, announced the new directive setting forth “principles governing the Federal Government’s response to any cyber incident, whether involving government or private sector entities.”
The Directive is a response to the ambiguity in responsibility for investigating cyber attacks and the lack of coordination amongst state and federal agencies and the private sector. As Homeland Security Secretary Jehovah "Jeh" Johnson recently commented, the Department often fields inquiries attempting to determine “Who’s responsible within the federal government for cyber security? Who in the government do I contact in the event of a cyber incident?” This Directive attempts to answer those questions and outlines how both governmental agencies and private companies should report cyber attacks, their respective security obligations, and the potential involvement of federal investigators – depending on the scope and severity of the attack.
The Directive also promulgates a new Cyber Incident Security Schema for determining the severity of cyber incidents and attacks affecting the United States, its capabilities or interests. “This schema establishes a common framework for evaluating and assessing cyber incidents” from a national perspective, defining six levels, zero through five, in ascending order of severity. Each level addresses incident’s potential impact on public health or safety, economic security, public confidence, foreign relations, civil liberties or national security.
Cyber Incident Security Schema
Not every cyber attack or incident rises to the level of necessitating a governmental response or involvement from a federal agency. The Directive distinguishes between generic cyber incidents and “significant” ones. Any intrusion that is considered a “Baseline” or “Low” –to “Medium” attack will generally remain within the province of the private sector. However, any incident or attack that is considered a “High” or “Level 3” cyber incident – demarcated by the dashed line – is considered a “significant” cyber attack, and triggers the involvement of specific federal departments. The Directive provides for the first time the overall architecture on how the federal government is to respond to “significant” threats and the specific agencies designated to coordinate that effort.
Federal Government’s Response to “Significant” Cyber Threats
When faced with a “significant” cyber attack or other cyber incident, the federal government’s Cyber Response Group will establish a Cyber Unified Coordination Group (“Cyber UCG”). A Cyber UCG shall include the lead agencies identified below for threat responses, asset response, and intelligence support, and may also include the relevant sector-specific agency (i.e., Department of Health and Human Services for concerns regarding attacks on the healthcare sector). The President’s directive clarifies which agencies both public and private entities should contact in the event of a “significant” event into three concurrent efforts and establishes a lead federal agency for each area:
Threat Response Activities – this includes investigating the incident or attack, both by the appropriate law enforcement and national security agencies, gathering intelligence, linking related incidents, identifying other areas for potential threat pursuit and disruption, and disseminate their findings. This effort will be led by the Department of Justice, acting through the Federal Bureau of Investigation (“FBI”), and the National Cyber Investigative Joint Task Force.
Asset Response Activities – this includes providing technical assistances to the affected individual or entity to identify, assess, and mitigate the impact of the attack, identify other entities or sectors potentially impacted by the threat and provide guidance to the affected individual or entity on how to properly utilize federal resources and capabilities. This effort will be led by the Department of Homeland Security, acting through the National Cybersecurity and Communications Integration Center. The Department of Homeland Security is also instructed to coordinate with the relevant sector-specific agency for affected individual or entity.
Intelligence Supporting Activities – this includes intelligence collection and analysis to ascertain potential threat trends and to develop situational awareness to better identify and mitigate adversarial threat capabilities. This effort will be led by the Office of the Director of National Intelligence, through the recently-formed Cyber Threat Intelligence Integration Center.
In addition, if a federal agency is itself affected by a cyber attack, “it shall undertake a fourth concurrent line of effort to manage the effects of the cyber incident on its operations, customers and workforce.”
Private Sector Protections Remain Unclear
The President’s new Directive builds on the goals set forth in the Cybersecurity National Action Plan released by the White House in February, designed to enhance cybersecurity awareness and protection in both the public and private sector and the Cybersecurity Information Sharing Act of 2015, signed into law by President Obama in December 2015, enacted to alleviate concerns private entities had with sharing data with the federal government. These initiatives collectively aim to improve the flow of information from the private sector to the federal government with the overall goal of mitigating potential cyber threats and increased efficacy in responding to actual attacks or incidents.
While the President’s directive and its ancillary annex detail the scope and involvement of federal agencies, it remains unclear what involvement, if any, the federal government will have when a cyber incident or attack solely affects a private entity. The Directive notes that when an incident affects a private entity, “the Federal government typically will not play a role in this line of effort, but will remain cognizant of the [individual or entity’s] response activities consistent with these principles and coordinate with the [individual or entity].”
However, Homeland Security Advisor Monaco has previously recognized the impact cyber attacks in the private sector can have on the nation’s critical infrastructure. In February 2015, in the wake of cyber attacks on Target, J.P. Morgan, and Home Depot, Monaco specifically referenced the attack of Sony Pictures Entertainment, which “was a game changer because it wasn’t all about profit” but rather “it was about coercion,” which has closer parallels to terrorism than traditional cyber attacks in the private sector that are driven by financial gain. Monaco has also affirmed that the federal government has to “work in lock step with the private sector” and that “[the federal government] won’t leave the private sector to fend for itself.”
Both the Departments of Justice and Homeland Security, in coordination with relevant sector-specific agencies, are required to submit a “concept of operations” for a potential Cyber UCG to Monaco by late-January 2017, which may outline a more detailed level of protection extended to private individuals and entities that are victims of cyber attacks.
For more information about how new regulations may impact your organizations, or you or your company have questions or concerns, contact the author or a Polsinelli Privacy and Data Security team member.