Cyber incident response: Who does what?

“Who in the government will help me if we face a significant cyber incident?”

It’s a question I get asked all the time, and until recently, there hasn’t been a clear answer. That changed last month, when President Obama issued a Presidential Policy Directive (PPD) on cyber incident coordination.

The PPD identifies federal agencies to lead specific aspects of incident response in the event of a significant cyber incident. (A “significant cyber incident” is defined as a cyber incident likely to result in demonstrable harm to the U.S. economy, national security interests, foreign relations, or to the public confidence, civil liberties, or public health and safety of the American people.) Unfortunately, the federal government has responded to several significant cyber incidents over the past few years. This PPD builds upon lessons learned from responding to those incidents, as well as the federal government’s experience in all types of disaster response (hurricanes, bombings, etc.).

The PPD breaks down cyber incident response into three roles: asset response, threat response, and intelligence support to both of those activities. “Asset response” focuses on helping the organization affected by malicious cyber activity find the bad guys on their network, kick them off, and recover.

“Threat response” focuses on identifying, pursuing, and disrupting the bad guys and their activity. As an analogy, think of a significant cyber incident as an arson: when you have a fire caused by arson, you want both the firefighters and the police to be present. The firefighters’ role is to put out the fire: that’s asset response. The police’s role is to determine who set the fire and bring them to justice: that’s threat response.

The lead federal agency responsible for asset response activities in the event of a significant cyber incident is the Department of Homeland Security (DHS)—specifically, through our National Cybersecurity and Communications Integration Center (NCCIC). Again, the NCCIC is like a firefighter: its role is to put out the fire, prevent it from spreading to other buildings, determine how the fire started, and advise the building owner how to prevent future fires.

In the event of a significant cyber incident, the NCCIC will find the bad guy on the affected organization’s system and help remove them, determine how they gained access, assess the damage they did, and provide guidance to the organization on how to make their system more secure. The NCCIC will also identify and alert other organizations that may be at risk from this particular bad guy, share anonymized information about the incident as broadly as possible so that other organizations can protect themselves, and distribute threat indicators related to the incident through our Automated Indicator Sharing capability so that our partners can immediately mitigate this particular threat.

The lead federal agency responsible for threat response in the event of a significant cyber incident is the Department of Justice (DOJ)—specifically, through its Federal Bureau of Investigation (FBI) and the National Cyber Investigative Joint Task Force (NCIJTF). As noted, they play the police role in relation to an arson: they’re responsible for collecting evidence and identifying and apprehending the arsonist. In the event of a significant cyber incident, the FBI and NCIJTF will conduct appropriate law enforcement and national security investigative activity; identify, pursue, and attempt to apprehend the bad guy; and disrupt and deter malicious cyber activity.

The PPD also recognizes the importance of providing intelligence support to asset and threat responders. The lead federal agency responsible for providing that support for significant cyber incidents is the Office of the Director of National Intelligence (ODNI)—specifically, through its Cyber Threat Intelligence Integration Center (CTIIC). The CTIIC does not engage directly with the private sector: it helps DHS and the DOJ build situational awareness of cyber threats and shares related cyber threat indicators across the federal government.

Other federal agencies also have critical roles in cyber incident response. The U.S. Secret Service are experts in investigating financial crimes as part of threat response. DHS’s Homeland Security Investigations provides threat response for cyber-enabled crimes including illicit e-commerce and the theft of intellectual property. Sector specific agencies, like the Department of Energy and the Treasury, provide their deep sector-level knowledge to asset response efforts. And DHS’s Office of Intelligence and Analysis also participates in the intelligence support portion of cyber incident response.

Now that the PPD has clearly defined federal agencies’ roles and responsibilities, the federal government is better equipped to respond to significant cyber incidents in both the public and private sector without duplicating efforts or getting mired in questions about who should be doing what. The collaboration among agencies and coordination of activities mandated by the PPD will ensure a unified national response to significant cyber incidents.  

So, who should you call if your organization experiences a significant cyber incident? The short answer is, whomever you’re comfortable with. It’s our job to sync on the back end. You can be assured that all federal agencies will coordinate with each other to ensure that you get the help you need as soon as possible.

To report cyber incidents to asset responders, call the NCCIC at 1-888-282-0870 or email NCCIC@hq.dhs.gov. For threat responder points of contact, please click here.