Finalizing cyber incident response might be easier than deciding when to use it

The revised National Cyber Incident Response Plan is on track to be completed by the end of the year, but the more difficult challenge might be determining when a cyber incident reaches a threshold that activates the plan.

Shutterstock image: breached lock.

One of the provisions of Presidential Policy Directive 41 is updating the interim National Cyber Incident Response Plan drafted in 2010. The revised plan is on target to be completed by the end of the year, but one question it cannot clearly address is the circumstances under which it should be put into action.

Since the Obama administration's July release of PPD-41, which lays out guiding principles, roles and responsibilities in the event of a significant cyber incident, the directive has yet to be invoked. Agencies are conducting training exercises while a working group scrambles to meet the 180-day deadline to revise the plan.

That deadline falls on Jan. 22, 2017 -- two days after the next president is sworn in, which is why one Department of Homeland Security official said there is a full-court press to get the plan completed and signed before the next administration takes office.

Bridgette Walsh, branch chief for strategy and integration in DHS' Office of Cybersecurity and Communications, said the latest draft of NCIRP is a substantial departure from the interim one that has been the roadmap for the past six years.

The intelligence and law enforcement communities have received a number of new authorities since the earlier version was released, Walsh said at the Oct. 26 meeting of the Information Security and Privacy Advisory Board at the National Institute of Standards and Technology. Those authorities are included in the Federal Information Security Modernization Act, the National Cybersecurity Protection Act and the Cybersecurity Act.

The latest NCIRP was drafted in 90 days with substantial input from industry, government agencies and representatives of the 16 sectors designated as critical infrastructure under last year's PPD-21.

NCIRP focuses on three lines of effort: threat response, asset response and intelligence response. It outlines coordination structures, provides a "who to call" list in case of a cyberattack and contains a new Cyber Incident Severity Schema that is designed to assess whether an incident should trigger implementation of NCIRP.

That is proving to be one of the most complicated issues to address.

"When we look back to something like the [Office of Personnel Management] breaches, that is something we have used as an example that perhaps could have utilized the new structure and the new coordination mechanisms," Walsh said. "I think that is the challenge from a cybersecurity perspective where [there] are very distinct differences between physical and cyber worlds."

The Sony hack is another example the working group explored as a possible trigger for an NCIRP response. "We haven't made a final determination," she added.

Walsh said the group has not come up with a clear example of an incident that would require a PPD-41/NCIRP response. "I think some of it is just going to take practice, and we're going to have to have a finalized plan, all work from the same plan and then figure out how to adapt to every situation that comes along," she added.

NCIRP is not designed to mandate every aspect of a response to a cyber incident, Walsh said. Instead, it allows for flexibility to assess each situation on a case-by-case basis and assemble the needed Unified Coordination Group, which will dissolve after the response is complete.

Walsh said she is considering suggesting that each industry sector devise its own version of the NCIRP schema to address the threats that are specific to its activities. For example, the medical sector might base its response on how many hospitals or patient records are affected, and the financial sector might build its schema around the number of banks or accounts affected by a cyber incident.

The new NCIRP is in the final stages of a comment period that ends on Oct. 31. The working group will spend November reviewing and reconciling the comments before presenting a final draft to White House officials for review and approval sometime in December.

Walsh said her goal is to have the draft approved as the new interim version so it replaces the outdated 2010 draft and serves as the roadmap until it's officially signed.

"My huge forcing function [is] to get this plan adjudicated and into the grind, the process, as quickly as possible because I can tell you we have huge proponents across the national security staff," Walsh said, including White House Cybersecurity Coordinator Michael Daniel, homeland security adviser Lisa Monaco and President Barack Obama.