Last summer, the White House took a significant step toward defining and coordinating a national response to the growing number of cyberattacks on government, businesses, and consumers—and it couldn’t have come at a better time.
Last July, the Obama Administration released Presidential Policy Directive-41 on U.S. Cyber Incident Coordination Policy, which outlines how the government responds to significant cyber incidents. The directive defines these as incidents “that either singularly or as part of a group of related incidents is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”
The directive introduces a five-point “incident severity schema” that ranks cyber incidents based on their potential impact and aims to ensure a common framework for assessing cyber incidents and the level of response required. Level 1 or 2 events are unlikely to have a significant public or widespread impact, while a level 3 or higher event would warrant a coordinated federal response effort because these events may involve the denial of an essential service or system, destruction or corruption of data, or physical damage.
Here’s a full breakdown of each schema:
In an effort towards better coordination, the document outlines how the government will work with affected private sector entities, state and tribal governments, and other nations. It calls for the creation of a Cyber Unified Coordination Group that includes private sector input into the development, prioritization, and execution of cyber incident response efforts.
Critics have said that prior directives had left businesses, government agencies, and other governments unsure of whom to contact in a cyber-incident. This update attempts to simplify the process by designating which federal agencies will take the lead on threat response, asset response, and intelligence support.
The FBI is the lead federal agency for investigating criminal and national security hacks. The Department of Homeland Security will help breached organizations reduce the impact of an event and prevent its spread. The Cyber Threat Intelligence Integration Center will pool intelligence to help identify who directed an intrusion or attack.
Fighting an Avalanche of Hacks
The directive, which had been in the works for at least two years, is seen as additive and builds on previous policy statements. It comes amid an avalanche of malicious cyber activity, demonstrating an increasingly complex and alarming threat to American institutions and commerce. Businesses, government agencies and tax payers alike are feeling the burden of recent breaches and their consequences.
- A hack of the Democratic National Committee’s computers and the release of embarrassing DNC emails happened just days before the Democratic National Convention. It is suspected that the Russians coordinated this hack and then released the information via WikiLeaks.
- Chinese hackers unlawfully tapped into a computer at the Office of Personnel Management, exposing the data of 22 million current and former federal employees and their families. The hack cost tax payers $350 million to notify and protect the identity of those employees.
- An attack in 2014 by North Korean hackers disrupted the network of Sony Pictures Entertainment, deleting files and disabling computers, uploading unreleased films and leaking emails. In a 2015, Sony reported spending $15 million and projected that the ultimate cost would continue to grow as they continued to pay damages and indirect costs (forensic investigations, hotline support, etc.)
And these are just a few examples of the devastating breaches that have occurred in the past few years. According to the Ponemon Institute, the average cost of a data breach in 2015 reached $2.2 million, and in the “2015 Data Breaches Report” by Gemalto Security, 707.5 million data records were compromised in 2015 and the numbers jump to almost 1.4 billion data records compromised in 2016.
The government’s directives are more than welcomed in the healthcare sector, which has been on the defense from past hacks, too. Medical data has high black-market value and is inviting to cybercriminals because it includes patient names, addresses, and social security numbers, policy numbers, diagnosis codes, and billing information. Cybercriminals apparently view these businesses as attractive victims because their cyber security postures can be easily compromised and are likely to pay ransom because their data is hyper-sensitive. Their infrastructure has to be airtight to protect data, as they are subject to intense regulation and possible fines under HIPAA.
Only time will tell how these guidelines will continue to affect our data security landscape. When an incident does occur, there are actionable steps that your organization can take.
When, What, and How to Report Cyber Incidents
Cyber incidents resulting in significant damage are of particular concern to federal agencies. The new policy directive encourages business victims of cyberattacks to report when cyber incidents may:
- Result in significant loss of data, system availability, or control of systems
- Impact a large number of victims
- Indicate unauthorized access to, or malicious software present on, critical information technology systems; affect critical infrastructure or core government functions
- Impact national security, economic security, or public health and safety.
The policy directive also encourages victims of cyberattacks to report what sort of incident occurred, how and when the incident was initially detected, what response actions have already been taken, and who has been notified.
Businesses are directed to report cyberattacks to the FBI Field Office Cyber Task Forces, Internet Crime Complaint Center (IC3); National Cybersecurity and Communications Integration Center; or the United States Computer Emergency Readiness Team.
Additional Resources on this Topic
This post was first published on Onramp.
As a Partner Success Manager at OnRamp, Natalie is responsible for onboarding new partners and enabling existing partners through training and co-marketing initiatives. ITIL and HIPAA for Business Associates certificated, she helps OnRamp's partners find the best solutions for their client's compliance, security, disaster recovery, and colocation needs.