White House working on plan to respond to a national cyberattack

The Obama administration is developing a plan that would establish the responsibilities and roles that governments and businesses would carry out in response to a widespread cyberattack, a strategy that would be similar to how the public and private sectors' collaboration after a natural disaster such as a hurricane, a White House official said on Tuesday.

"What is our plan for a digital disaster? How do we work with [partners] like we do when there's a hurricane or another national disaster?" asked Melissa Hathaway, acting senior director for cyberspace at the National Security Council. "We're coming up with chapters of what we think will be a responsible [incident response] plan."

The White House released the Cyberspace Policy Review report on May 29, which calls for the government to develop an incident response framework that will give the yet-to-be-appointed federal cybersecurity chief the authority to coordinate capabilities and responsibilities.

"I think there's a number of things government hasn't thought about that should be [incorporated] into the plan," said Hathaway, who spoke at a symposium hosted by Symantec, an information security firm.

Once finalized, the administration will share the plan with the Homeland Security Department, which will conduct a simulated test to determine how well the strategy would work in the event of a cyberattack and solicit feedback from state and local government officials and business groups.

The Bush administration conducted simulations in 2006 and 2008 to test the nation's ability to respond to a catastrophic cyberattack. In the most recent exercise, called Cyberstorm II, government and industry officials responded to simulated attacks launched through e-mails, phones, faxes, Web sites and in-person contacts.

The National Security Council also is working with federal Chief Technology Officer Aneesh Chopra to develop a wiki site that would allow federal, state and local governments and business groups to collaborate on creating the framework, according to Hathaway.

A key requirement for cyber incident response is information sharing. "We have a view in government from the intelligence agencies, Defense Department, DHS and the law enforcement community, but it's not enough," she said. "We need to pool data to move from national to global situational awareness," incorporating information private sector and foreign governments and groups collect.

The administration will have to address many legal issues to develop the plan. For example, industry groups have pushed for protections from lawsuits that hold them accountable for cyberattacks, and some forms of information sharing could violate antitrust laws.

"We've identified scores of legal issues that will take the entire term or two terms for the president to resolve," Hathaway said. "We're working with the Justice Department and Congress to [establish] laws and policies that would clarify this space. We need to address this, because we need to be able to share data to secure our environment."