President Barack Obama on Tuesday issued a new policy directive that specifies how the federal government will respond to significant cyber security incidents against government and private networks with differing roles for the Departments of Justice (DoJ) and Homeland Security (DHS) and the Office of the Director of National Intelligence (ODNI) based on the type of response.

Presidential Policy Directive (PPD)-41 builds on lessons learned from a number of cyber security incidents, in particular attacks against a United States division of Sony Corp. [SNE]  and the federal Office of Personnel Management (OPM), and lays out best practices for responding to cyber incidents and attempts to prevent bureaucratic turf battles by giving authority to specific departments and agencies for leading response efforts.

President Barack Obama in the Oval Office. White House photo by Pete Souza
President Barack Obama in the Oval Office. White House photo by Pete Souza

“That experience has allowed us to hone our approach but also demonstrated that significant cyber incidents demand a more coordinated, integrated, and structured response,” says a White House fact sheet on PPD-41.

James Lewis, a cyber security expert with the Center for Strategic and International Studies, told Defense Daily in a telephone interview that based on a discussion he had with the White House aides that crafted the new directive there was a desire apply the lessons learned from the Sony and OPM breaches and “boil them down for the next team so they wouldn’t have to relearn it.”

“One of the issues they were trying to solve was the sort of bureaucratic squabbling over who’s in charge and so that’s why there is clear assignment for the DoJ, DHS and DNI,” Lewis said.

For threat response activities, which the White House says require law enforcement and national security investigation at an affected entity’s site, the Justice Department has the lead for responding.

“In view of the fact that significant cyber incidents will often involve at least the possibility of a nation-state actor or have some other national security nexus, the Department of Justice, acting through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force, shall be the Federal lead agency for threat response activities,” the directive says.

DHS, through its National Cybersecurity and Communications Integration Center, has the lead for asset response activities. These activities include mitigation response, identifying other entities that may be at risk, providing technical assistance and risk assessments, PPD-41 says.

Homeland Security Secretary Jeh Johnson said in a statement that asset response “involves helping the victim find the bad actor on its system, repair its system, patching the vulnerability, reducing the risks of future incidents, and preventing the incident from spreading to others.” He also noted that the directive requires DHS to lead the effort to write a National Cyber Incident Response Plan that will establish how the federal government will work with the private sector and state and local government in responding to significant cyber incidents.

The ODNI is responsible for providing intelligence support to help build situational threat awareness and intelligence sharing, PPD-41 says.

When it comes to data breaches of federal networks, the directives say the affected entity will work to manage the incident to include maintaining business continuity, protect privacy, conduct employee and other communications, and address financial impacts.

For private sector breaches the federal government will keep tabs on the incident and the relevant federal sector agency will “generally coordinate the Federal Government’s efforts to understand the potential business or operational impact of a cyber incident on private sector infrastructure,” the directive says.

Lewis said the White House staffers told him that “the private sector is the first responder for the company but the government is the first responder for protecting the nation.” This means the government plays a role in information sharing about threats but it also has a “role in the initial stages of the investigation” to help determine who the attacker might be such as a nation-state or criminal organization, he said. Ultimately there is a different response if a cyber attack or hack is generated by a specific country or criminal organization, he said, “adding that no company is going to be able to defend itself from the Russians or the Chinese and that’s where the government is going to come in.”

In addition to putting forth the roles of the lead agencies for response efforts, the directive also sets out two additional ways the government will coordinate its major cyber incident response activities. One of these is through a Cyber Response Group that supports the National Security Council and will coordinate policy and strategy development and implementation “with respect to significant cyber incidents affecting the United States or its interests abroad.”

The other is the creation of a Cyber Unified Coordination Group (UCG), which is how the various federal agencies will link up and integrate with the private sector in response to an incident, the directive says. The Cyber UCGs will stand up at the as needed.

“They Cyber UCG is intended to result in unity of effort and not to alter agency authorities or leadership, oversight, or command responsibilities,” the directive says.

Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security Committee, lauded the new directive for “clarifying the lead federal agencies and their roles and responsibilities” in coordinating responses to cyber incidents. He is also pleased with the pending efforts to finalize the National Cyber Incident Response Plan, which was called for in legislation.

“This vital plan will help ensure these recently-passed cyber security laws we have been fighting for will be fully implemented and effectively carried out to strengthen our nation’s cyber security,” McCaul said.