White House Releases Cyber Incident Coordination Plan

In an effort to better facilitate federal response to cyber-incidents[1] the Obama Administration released a Presidential Policy Directive on United States Cyber Incident Coordination (“PPD”)[2] on July 26, 2016.   The PPD is a continuation of the White House’s ongoing focus on securing the U.S. from cyber-incidents that was first initiated with the Cybersecurity National Action Plan in early February 2015.[3]

The PPD requires that in any response to a cyber-incident the Federal Government will be guided by the principles of: a) Shared responsibility; b) Risk-based response; c) Respecting affected entities; d) Unity of governmental effort; and, e) Enabling restoration and recovery.   These principles emphasize the shared interest of governmental agencies and the private sector in the response to such an incident, matching the response to the threat, and the united efforts of various governmental entities.

The PPD creates a response architecture that stresses coordination among Federal agencies in the response to cyber-incidents. The PPD requires Federal agencies to work together to concurrently engage in necessary law enforcement actions, to offer technical assistance to mitigate damages and vulnerabilities, and finally to provide intelligence support to create situational threat awareness. If an incident is deemed to be a significant incident then a Cyber Unified Coordination Group (UCG) shall serve as the primary method for coordinating between various Federal agencies and private sector partners into the incident response efforts. The UCG shall be assigned appropriate senior executives from various Federal agencies to operate the UCG.  The goal of the UCG is intended to result in unity of effort between the assigned agencies and shall not alter agency authorities or leadership, oversight or command responsibilities.

The White House also concurrently released a Cyber Incident Severity Schema[4] that attempts to illustrate six various levels (0-5) of cyber-incidents. The goal of the Schema is to provide a framework for agencies to evaluate incidents and to insure that all departments and agencies have a common view of the severity of an incident, the urgency required for responding to the incident, the seniority level necessary for coordinating response efforts, and the level of investment required of response efforts.   Any attack at or above Level Three is considered to be a significant attack and triggers the coordinated effort discussed in the PPD.

Only time will tell if the intent of cooperation and collaboration expressed in the PPD and Schema are able to be successfully applied to Federal agencies’ response to cyber-incidents and—most importantly—if that cooperation and collaboration facilitate better outcomes in these incidents.

[1] The PPD defines “cyber incidents” as an “event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.  For purposes of this directive, a cyber incident may include a vulnerability in an information system, system security procedures, internal controls, or implementation hat could be exploited by a threat source.”

[2] A complete copy of the Presidential Policy Directive can be located at https://www.whitehouse.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-incident.

[3] An overview of the Cybersecurity National Action Plan can be located at https://www.whitehouse.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan.

[4] A complete copy of the Cyber Incident Severity Schema can be located at https://www.whitehouse.gov/sites/whitehouse.gov/files/documents/Cyber%2BIncident%2BSeverity%2BSchema.pdf.