Information security is a dynamic field, with the threat landscape and defense technologies changing on a weekly, if not daily, basis. One day APTs are the big problem, and the next it’s ransomware. This fluid environment makes it difficult for defenders and response teams to know what to do and who to call when things go south.
Perhaps there’s no place that’s more true than in the federal government, a fact that President Obama acknowledged tacitly on Tuesday when he released a new Presidential Policy Directive that spells exactly which agencies are in charge of what when there’s a major security incident. This is the first time that a president has specified who should do what and with whom when there’s a big compromise or data breach, and it’s an important step for the federal government.
The directive says that the FBI will be the lead investigative agency for threat response, and that DHS will handle so-called “asset response” activities. In plain English, that means that the FBI will do what it does best--investigation of crimes--and DHS will deal with the compromised assets that were part of an attack. The Office of Director of National Intelligence will also play a part, supporting these efforts with intelligence gathering and distribution.
“In view of the fact that significant cyber incidents will often involve at least the possibility of a nation-state actor or have some other national security nexus, the Department of Justice, acting through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force, shall be the Federal lead agency for threat response activities,” the directive says.
Designating the FBI as the lead agency for investigation of security incidents is a key move for Obama, and it’s one that’s long overdue. For decades now, it’s been unclear which agency was in charge when things went wrong, although the FBI has been seen as the de facto power in this situation. As the top federal law enforcement agency, the FBI takes charge of federal investigations, and that’s come to include cyber attacks that threaten national security. But it’s never been explicitly laid out before, so private sector organizations that were victims of major breaches were never sure which agency to contact.
That changes with this directive. The FBI and DHS now are the go-to agencies for investigation and response, respectively. That will help both federal agencies and private sector organizations know where to go if they’re attacked. The directive also emphasizes that the key to defeating cyber attacks is coordination and cooperation among government and private sector organizations.
“While the vast majority of cyber incidents can be handled through existing policies, certain cyber incidents that have significant impacts on an entity, our national security, or the broader economy require a unique approach to response efforts. These significant cyber incidents demand unity of effort within the Federal Government and especially close coordination between the public and private sectors,” the directive says.
While the directive offers plenty of detail about who’s responsible for what when it comes to cyber attacks, the thing that is conspicuously absent is how the government plans to respond to attacks. The Obama administration has followed the lead of the Bush administration before it in hinting vaguely about offensive responses to cyber attacks. But it has never spelled out what a response might look like and what might trigger it. That likely will never happen, as it’s counterproductive. But it’s safe to assume that the government has such a plan in place and probably already has used it.
Either way, having an explicit plan for response to major cyber incidents is a big step forward for the U.S. government, if a little bit late.