President's Cyber Response Directive Gets Mixed ReviewsExperts Debate Whether the New Policy Is Too Complicated
Security experts disagree about whether a new presidential policy directive on how to coordinate response to a large-scale cyber incident is well-designed.
While some say its far too complex to work, others say it reflects current practices.
Richard Stiennon, chief strategy officer at Blancco Technology Group, a provider of mobile device diagnostics, sees the directive as being "overly complicated" with "too many moving parts. It calls on many new and relatively unvetted components of the federal government to work together in a quick and efficient manner."
But Phil Reitinger, chief executive of the Global Cyber Alliance, doesn't see the complexity getting in the way of executing the directive. "I don't think it's a huge lift for implementation; I suspect this is the way the government already works," says Reitinger, a former DHS deputy undersecretary for cybersecurity and onetime chief information security officer at Sony. "I think it's more a likely description of the way things now generally work and ought to work as opposed to a notional thing to work toward."
Assign Roles to Agencies
The new directive, announced July 26, gives specific roles to the FBI, Department of Homeland Security and the Office of the Director of National Intelligence to coordinate three lines of effort: threat response, asset response and intelligence support activities.
In terror-related cyber incidents, the FBI will take the lead to coordinate the response to an immediate threat, the policy states. The Department of Homeland Security will lead what the directive calls "asset response," in which the department provides technical assistance to help victims find the adversary on their systems, protect their assets and bring systems back online. The ODNI will integrate intelligence and analysis about the threat and identify opportunities to mitigate and disrupt it.
"Our new policy acknowledges that when businesses and federal agencies are the victim of or experience a significant cyber incident, one of the most important considerations is likely to be restoring operations and getting back online," Lisa Monaco, assistant to the president for homeland security and terrorism, told a cybersecurity conference on July 26, the day the White House issued the directive (see New White House Policy Defines Coordination of Cyber Response). "Our policy makes clear that we will coordinate with the victim to minimize any interference between their incident response and our own."
Homeland Security Secretary Jeh Johnson says the directive is another crucial step to improve national cybersecurity. "It not only clarifies the roles of the various government actors involved in cybersecurity, it re-enforces the reality that cybersecurity must be a partnership between the government and the private sector, and among the law enforcement, homeland security and intelligence components of the government."
Developing a Partnership
Although the administration promotes the idea of a government-private sector partnership, one industry leader contends the White House did little to get industry ideas in developing the new policy.
Larry Clinton, chief executive of the Internet Security Alliance, says he's delighted to see the government move to clarify its role and responsibilities regarding cyber events. "However, defining these roles and responsibilities on a government-only basis, as this appears to have done, is bad policy making and counter to the administration's own oft stated views on the need for government to work with the private sector," he says. "As far as I can tell, there has been little or no private sector involvement in the development of this new system.
"Every Cyber Storm [joint cyber exercises with industry and government] action report has stressed the need to increase coordination between the public and private sectors. This program seems to move in the opposite direction."
Elevating DHS Agency
Sam Visner, senior vice president for cybersecurity at the professional services firm ICF International, says the directive could be strengthened if the National Protection and Program Directorate at DHS, which is charged with overseeing asset response of the new policy, is elevated to an agency, on par with Immigration and Custom Enforcement, the Federal Emergency Management Agency and the Transportation Security Administration.
Legislation to do just that has passed a House committee, but must be approved by the full House, Senate and signed by the president to become law. Visner says he believes that could be done in the lame-duck session of Congress that will follow the November presidential election.
"This is a huge, powerful mission - cyber and infrastructure protection - and it would be stronger, it would compel more cooperation and support governmentwide if it had enhanced status, which giving it agency status would do," Visner says.
What Will Next President Do?
With only five months remaining in the Obama administration, the next president could rescind the directive. "How will the cumbersome series of Obama administration presidential policy directive fare after Jan. 20, 2017, when a new administration takes office?" Stiennon asks.
Stiennon says he suspects a Clinton administration would retain much of the same personnel and organization; a Trump administration would likely start from scratch. "Time will tell," he says.