• United States



Cyber incident response: Who does what?

Sep 01, 20165 mins
Advanced Persistent ThreatsCritical InfrastructureCybercrime

security group team circuitry
Credit: Thinkstock

“Who in the government will help me if we face a significant cyber incident?”

It’s a question I get asked all the time, and until recently, there hasn’t been a clear answer. That changed last month, when President Obama issued a Presidential Policy Directive (PPD) on cyber incident coordination.

The PPD identifies federal agencies to lead specific aspects of incident response in the event of a significant cyber incident. (A “significant cyber incident” is defined as a cyber incident likely to result in demonstrable harm to the U.S. economy, national security interests, foreign relations, or to the public confidence, civil liberties, or public health and safety of the American people.) Unfortunately, the federal government has responded to several significant cyber incidents over the past few years. This PPD builds upon lessons learned from responding to those incidents, as well as the federal government’s experience in all types of disaster response (hurricanes, bombings, etc.).

The PPD breaks down cyber incident response into three roles: asset response, threat response, and intelligence support to both of those activities. “Asset response” focuses on helping the organization affected by malicious cyber activity find the bad guys on their network, kick them off, and recover.

“Threat response” focuses on identifying, pursuing, and disrupting the bad guys and their activity. As an analogy, think of a significant cyber incident as an arson: when you have a fire caused by arson, you want both the firefighters and the police to be present. The firefighters’ role is to put out the fire: that’s asset response. The police’s role is to determine who set the fire and bring them to justice: that’s threat response.

The lead federal agency responsible for asset response activities in the event of a significant cyber incident is the Department of Homeland Security (DHS)—specifically, through our National Cybersecurity and Communications Integration Center (NCCIC). Again, the NCCIC is like a firefighter: its role is to put out the fire, prevent it from spreading to other buildings, determine how the fire started, and advise the building owner how to prevent future fires.

In the event of a significant cyber incident, the NCCIC will find the bad guy on the affected organization’s system and help remove them, determine how they gained access, assess the damage they did, and provide guidance to the organization on how to make their system more secure. The NCCIC will also identify and alert other organizations that may be at risk from this particular bad guy, share anonymized information about the incident as broadly as possible so that other organizations can protect themselves, and distribute threat indicators related to the incident through our Automated Indicator Sharing capability so that our partners can immediately mitigate this particular threat.

The lead federal agency responsible for threat response in the event of a significant cyber incident is the Department of Justice (DOJ)—specifically, through its Federal Bureau of Investigation (FBI) and the National Cyber Investigative Joint Task Force (NCIJTF). As noted, they play the police role in relation to an arson: they’re responsible for collecting evidence and identifying and apprehending the arsonist. In the event of a significant cyber incident, the FBI and NCIJTF will conduct appropriate law enforcement and national security investigative activity; identify, pursue, and attempt to apprehend the bad guy; and disrupt and deter malicious cyber activity.

The PPD also recognizes the importance of providing intelligence support to asset and threat responders. The lead federal agency responsible for providing that support for significant cyber incidents is the Office of the Director of National Intelligence (ODNI)—specifically, through its Cyber Threat Intelligence Integration Center (CTIIC). The CTIIC does not engage directly with the private sector: it helps DHS and the DOJ build situational awareness of cyber threats and shares related cyber threat indicators across the federal government.

Other federal agencies also have critical roles in cyber incident response. The U.S. Secret Service are experts in investigating financial crimes as part of threat response. DHS’s Homeland Security Investigations provides threat response for cyber-enabled crimes including illicit e-commerce and the theft of intellectual property. Sector specific agencies, like the Department of Energy and the Treasury, provide their deep sector-level knowledge to asset response efforts. And DHS’s Office of Intelligence and Analysis also participates in the intelligence support portion of cyber incident response.

Now that the PPD has clearly defined federal agencies’ roles and responsibilities, the federal government is better equipped to respond to significant cyber incidents in both the public and private sector without duplicating efforts or getting mired in questions about who should be doing what. The collaboration among agencies and coordination of activities mandated by the PPD will ensure a unified national response to significant cyber incidents.  

So, who should you call if your organization experiences a significant cyber incident? The short answer is, whomever you’re comfortable with. It’s our job to sync on the back end. You can be assured that all federal agencies will coordinate with each other to ensure that you get the help you need as soon as possible.

To report cyber incidents to asset responders, call the NCCIC at 1-888-282-0870 or email For threat responder points of contact, please click here.

Dr. Andy Ozment has worked in cybersecurity for almost twenty years as an operator, programmer, policymaker and executive. He is currently the Assistant Secretary for Cybersecurity and Communications at the Department of Homeland Security (DHS). In this role, Dr. Ozment is charged with protecting the government against cyber attacks and helping the private sector protect itself.

Dr. Ozment’s office helps its private sector and government customers by responding to incidents, sharing information, developing and promulgating best practices, and increasing our nation’s cybersecurity capacity. In leading this office, Dr. Ozment oversees a budget of more than $1 billion and leads a workforce of over 600 federal employees and several thousand support personnel.

At DHS, Dr. Ozment has led the U.S. government’s response to dozens of incidents in the government and private sector. During his tenure, his teams have been called in to find and remove the intruders at OPM and separately to travel to Ukraine to better understand and share information about the cyber attack that turned off power to over 200,000 customers. His team built and operates a classified, government-wide intrusion prevention system and is working with federal agencies to deploy endpoint monitoring solutions across millions of government computers. By establishing policy with clear metrics and holding agencies accountable, Dr. Ozment has driven a measurable decrease in the cyber risk faced by government agencies.

Prior to joining DHS, Dr. Ozment served at the White House as the President’s Senior Director for Cybersecurity where he led a team that developed national policy and coordinated federal cybersecurity efforts. He was responsible for the development and implementation of the President’s Executive Order 13636 on Improving Critical Infrastructure Cybersecurity. He then oversaw the resulting development of the NIST Cybersecurity Framework. Dr. Ozment also led the development of the National Strategy for Trusted Identities in Cyberspace, a signature initiative by the Administration to improve online authentication.

Before joining the White House, Dr. Ozment led an operational security group at DHS that oversaw compliance, metrics and security authorization for the Department’s Chief Information Security Officer. Previously, Dr. Ozment served in cybersecurity or technical roles with the Office of the Secretary of Defense, National Security Agency, Merrill Lynch and Nortel Networks.

Dr. Ozment earned a Bachelor of Science degree in Computer Science from Georgia Tech. While studying in the United Kingdom on a Marshall Scholarship, he earned a Master of Science degree in International Relations from the London School of Economics, and a Ph.D. in Computer Science from the University of Cambridge.

The opinions expressed in this blog are those of Dr. Andy Ozment and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author