The White House released on July 26, 2016 Presidential Policy Directive No. 41 (PPD) on “United States Cyber Incident Coordination.” PPD No. 41 builds on the Cybersecurity National Action Plan, released earlier this year. Cybersecurity incidents are increasingly sophisticated and persistent. The healthcare sector has seen its fair share of cybersecurity incidents in recent years.
The PPD sets forth principles governing the Federal Government’s response to any cybersecurity incident involving a private sector or government entity and establishes a “unity of effort” within the Federal Government and especially close coordination between the public and private sectors. However, the major focus of the PPD’s guidance is on significant cybersecurity incidents. A “significant cyber incident” is an incident, or group of incidents, that is likely to result in demonstrable harm to national security interests, foreign relations, or the economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.
The White House has also released a “Cyber Incident Severity Schema” that establishes a common framework within the Federal government for evaluating and assessing the severity of cybersecurity incidents and which will help identify significant cybersecurity incidents. Significant cybersecurity incidents, according to the schema, are those that are level 3 (high, orange) or higher. The general definition for a level 3 incident is one which is “[l]ikely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.” The most significant cybersecurity incident is level 5 (emergency, black) in which the incident “[p]oses an imminent threat to the provision of wide-scale critical infrastructure services, national gov’t stability, or to the lives of U.S. persons.”
The PPD sets forth five guiding principles for the Federal government in carrying out incident response activities. These principles summarized as follows:
- Individuals, the private sector, and government agencies have a shared responsibility, vital interest, and complementary roles and responsibilities in protecting the Nation from malicious cyber activity and managing cybersecurity incidents and their consequences.
- The Federal Government will determine its response actions and resources based on an assessment of the risks posed to an entity, national security, foreign relations, the broader economy, public confidence, civil liberties, or the public health and safety of the American people.
- To the extent permitted under law, the Federal government responders will safeguard the details of the incident, as well as privacy and civil liberties, and sensitive private sector information.
- Efforts by the Federal government must be coordinated. Whenever a Federal agency first becomes aware of a cybersecurity incident, the agency will rapidly notify other relevant Federal agencies to facilitate a unified Federal response. Additionally, the transitional nature of the Internet and communications infrastructure requires the United States to coordinate with international partners, as appropriate, in managing cybersecurity incidents.
- Federal response activities will be conducted to facilitate restoration and recovery of an entity that has experienced a cybersecurity incident.
In the PPD, there are three concurrent lines of effort: threat response, asset response, and intelligence support and related activities. The lead agencies for these lines of effort are as follows:
- The Department of Justice, acting through the FBI and the National Cyber Investigative Joint Task Force (NCIJTF), will be taking the lead on threat response activities.
- The Department of Homeland Security, acting through the National Cybersecurity and Communications Integration Center, will be lead agency for asset response activities.
- The Office of the Director of National Intelligence, through its Cyber Threat Intelligence Integration Center, will be lead agency for intelligence support and related activities.
The PPD requires the Departments of Justice and Homeland Security to maintain updated contact information for public use to assist entities affected by cybersecurity incidents in reporting those incidents to the proper authorities. Significantly, however, the PPD does state that the Federal government typically will not play a role in asset response activities (e.g., maintaining business or operational continuity, protecting privacy, engaging in communications with employees or other affected individuals, dealing with external affairs, etc.), but that the relevant sector-specific agency (HHS for healthcare and public health) will generally coordinate the Federal government’s efforts to understand the potential business or operational impact of a cybersecurity incident on the private sector.
Further, the FBI will serve as the lead for threat response and will play a key role in the event of a significant cybersecurity incident. Threat response activities include conducting appropriate law enforcement and national security investigative activity at the affected entity’s site, collecting evidence and gather intelligence, identifying threat pursuit and disruption opportunities, mitigating the immediate threat, and facilitating information sharing and operational coordination. Additional information can be found in the FBI’s press release.