Earlier this year, the Obama Administration—in recognition of the growing cyber threat from criminals, terrorists, and others who wish to do us harm—released its Cybersecurity National Action Plan. 

One aspect of this multi-layered plan was a specific focus on improving cyber incident response. Because the victim of cyber incidents is often a private sector entity, it’s crucial that the private sector understands how the U.S. government will respond and coordinate in the event of a cyber incident impacting their networks, operations, or business.

So today, the Administration released Presidential Policy Directive-41 on U.S. Cyber Incident Coordination Policy, which sets forth principles that will govern the federal government’s response to cyber incidents and designates certain federal agencies to take the lead in three different response areas—threat response, asset response, and intelligence support. Those agencies and their roles are as follows:

• The Department of Justice, acting through the FBI and the National Cyber Investigative Joint Task Force (NCIJTF), will be taking the lead on threat response activities;
• The Department of Homeland Security, acting through the National Cybersecurity and Communications Integration Center, will be the lead agency for asset response activities;
• And the Office of the Director of National Intelligence, through its Cyber Threat Intelligence Integration Center, will be the lead agency for intelligence support and related activities.  

As the lead for threat response, the FBI will play a key role in the event of a significant cyber incident, communicating with field-level coordinators on the ground to coordinate an effective, multi-agency response to the incident. Threat response activities include conducting appropriate law enforcement and national security investigative activity, like collecting evidence and gathering intelligence; mitigating the immediate threat; identifying disruption activities; and facilitating information sharing and operational coordination with asset response personnel.  

Additionally, according to the PPD, the FBI will also take part in the Cyber Unified Coordination Group, an entity to be formed in the event of a significant cyber incident that will also include asset response coordinators and, as appropriate, other federal agencies; local, state, and tribal governments; non-governmental organizations; the private sector; and international counterparts. This mechanism will take collaboration among all responding agencies to an even higher level.   

The principles raised in PPD-41 that will guide the federal government’s response to cyber incidents closely align with the FBI’s values and priorities already in place when dealing with cyber incidents. The Bureau already believes that:

• Prevention and management of cyber incidents is a shared responsibility among the government, private sector, and individuals;
  
• All incidents should be approached through a united federal government strategy that best uses the skills, authorities, and resources of each agency;
• The response will be based on an assessment of the risks posed to U.S. security, safety, and prosperity, and will focus on enabling the restoration and recovery of the affected entity; and
  
• The government will respect the privacy, civil liberties, and the business needs of victims of cyber incidents.

According to FBI Assistant Director James Trainor, Cyber Division, “PPD-41 codifies the essential role that the FBI plays in cyber incident response, recognizing its unique expertise, resources, and capabilities. And as the Bureau continues evolving to keep pace with the cyber threat, the authorities contained in PPD-41 will allow us to help shape the nation’s strategy for addressing nationally-significant cyber incidents.”

“This new policy,” said Trainor, “will also enhance the continuing efforts of the FBI—in conjunction with its partners—to protect the American public, businesses, organizations, and the economy and security of our nation from the wide range of cyber actors who threaten us.”  

Resources:

• Presidential Policy Directive: United States Cyber Incident Coordination
  
• FBI Cyber Division
  
• Guide for reporting cyber incidents to the federal government