Over the last seven years, our nation has experienced increasingly severe and significant cyber incidents affecting both the private sector and Federal Government. The U.S. government’s experience responding to cyber incidents such as those that affected Sony Pictures Entertainment and the Office of Personnel Management has taught us valuable lessons and highlighted areas of growth.
To codify those lessons learned, in July, President Obama issued Presidential Policy Directive 41 (PPD-41): United States Cyber Incident Coordination. The directive called for a National Cyber Incident Response Plan (NCIRP) that defines a nationwide approach to cyber incidents and outlines the roles of both federal and non-federal entities. It also outlines how the U.S. government prepares for, responds to, and recovers from significant cyber incidents. And it responds to calls we’ve heard from the private sector to provide clarity and guidance about the Federal Government’s roles and responsibilities, including an answer to the question, “who do I call to report cyber incidents and get help?”
No single federal agency possesses all of the authorities, capabilities, and expertise to deal unilaterally with a significant cyber incident, so PPD-41 breaks down cyber incident response into three roles: asset response, threat response, and intelligence support to both of those activities. Asset response focuses on helping the organization affected by malicious cyber activity find the bad guys on their network, kick them off, and recover. Threat response focuses on identifying, pursuing, and disrupting the bad guys and their activity. As an analogy, think of a significant cyber incident as an arson: when you have a fire caused by arson, you want both the firefighters and the police to be present. The firefighters’ role is to put out the fire: that’s asset response. The police’s role is to determine who set the fire and bring them to justice: that’s threat response.
The Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) is the designated lead for asset response during a significant cyber incident. They are the firefighters: they will find the bad guy on the affected organization’s system and help remove them, determine how they gained access, assess the damage, and provide guidance to the organization on how to make their system more secure. The NCCIC will also identify and alert other organizations that may be at risk from this particular bad guy, share anonymized information about the incident as broadly as possible so that other organizations can protect themselves, and distribute threat indicators related to the incident through our Automated Indicator Sharing capability so that our partners can immediately mitigate this particular threat.
The Department of Justice—specifically, the Federal Bureau of Investigation (FBI) and the National Cyber Investigative Joint Task Force (NCIJTF)—is the lead federal agency responsible for threat response in the event of a significant cyber incident. The FBI and NCIJTF are like the police in our arson analogy: they will conduct appropriate law enforcement and national security investigative activity; identify, pursue, and attempt to apprehend the bad guy; and disrupt and deter malicious cyber activity. DHS also plays a role in threat response: our U.S. Secret Service investigates financial crimes, and Immigration and Customs Enforcement’s Homeland Security Investigations provides threat response for cyber-enabled crimes.
Finally, intelligence support efforts involve creating situational awareness about cyber threats. The Office of the Director of National Intelligence (ODNI), through its Cyber Threat
Intelligence Integration Center (CTIIC), is the lead federal agency for intelligence support during significant cyber incidents. The CTIIC does not work directly with organizations that experience cyber incidents, rather it supports the government effort.
Recognizing that cybersecurity is a shared responsibility and effective cyber incident response must involve all levels of government as well as the private sector, PPD-41 directs DHS to develop an NCIRP. Over the past few months, DHS has coordinated with stakeholders from across the Federal Government; state, local, tribal and territorial governments; and the private sector to develop a draft NCIRP. Today, that draft is available for a 30-day public comment period, and can be viewed at www.us-cert.gov/ncirp.
Building upon PPD-41, the NCIRP outlines the roles and responsibilities of federal, state, local, tribal, territorial, private sector, and international stakeholders during a cyber incident; identifies the core capabilities required in the event of a cyber incident; and describes the coordination structure the Federal Government will use to coordinate its activities with affected stakeholders.
We welcome and encourage feedback on the draft NCIRP and are excited to promote it during National Cyber Security Awareness Month this October. Comments and questions will be accepted through October 31, 2016 and information about providing feedback accompanies the draft plan.. We will adjudicate public comments in November and December and plan to submit the final draft of the NCIRP to the White House in January 2017.