On July 26, 2016, President Obama issued Presidential Policy Directive/PPD-41 on United States Cyber Incident Coordination (“PPD-41” or the “Directive”). “Cyber incidents are a fact of contemporary life, and significant cyber incidents are occurring with increasing frequency,” the Directive states, giving “the private sector and government agencies . . . a shared vital interest” in preventing and responding to such incidents. To that end, the Directive, along with an accompanying fact sheet and annex, establishes guiding principles, clarifies lines of effort and assigns roles and responsibilities for the federal government’s response to significant cyber incidents that “demand unity of effort within the Federal Government and especially close coordination between the public and private sectors.” This Legal Update describes the Directive with a focus on those elements of particular interest to private sector entities.

Definitions of Cyber Incidents

The Directive distinguishes between a significant cyber incident and all other cyber incidents based on the severity of the likely consequences. This distinction is important for the private sector, as determinations of severity will drive the federal government’s level of engagement in the response to cyber incidents that affect the private sector.

The Directive defines a “cyber incident” to include: “[a]n event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.” It states that “cyber incidents” also may include “a vulnerability in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.” By contrast, a “significant cyber incident” is a cyber incident (or group of related cyber incidents) that is “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”

In addition to these definitions, the White House also released a “cyber incident severity schema,” adopted by the US Federal Cybersecurity Centers, that “establishes a common framework for evaluating and assessing cyber incidents,” specifically to facilitate identification of significant cyber incidents. The schema depicts six incident levels (Levels 0-5) with accompanying general definitions, observed actions, and intended consequences. For example, Level 5, “Emergency,” is defined as an incident that “[p]oses an imminent threat to the provision of wide-scale critical infrastructure services, national gov’t stability, or to the lives of U.S. persons.” Its “Observed Actions” is listed as “Effect” and the “Intended Consequence” is listed as “Cause physical consequence.”

Principles Guiding Incident Response

The Directive identifies five principles that guide the federal government’s response to “any cyber incident.”

  1. Shared Responsibility: The Directive states that “[i]ndividuals, the private sector, and government agencies have a shared vital interest and complementary roles and responsibilities in protecting the Nation from malicious cyber activity and managing cyber incidents and their consequences.”
  2. Risk-Based Response: The Directive requires that the federal government’s response to a cyber incident be determined “based on an assessment of the risks posed to an entity, our national security, foreign relations, the broader economy, public confidence, civil liberties, or the public health and safety of the American people.”
  3. Respecting Affected Entities: The Directive provides that, “[t]o the extent permitted under law, Federal Government responders will safeguard details of [an] incident, as well as privacy and civil liberties, and sensitive private sector information, and generally will defer to affected entities in notifying other affected private sector entities and the public. In the event a significant Federal Government interest is served by issuing a public statement concerning an incident, Federal responders will coordinate their approach with the affected entities to the extent possible.”
  4. Unity of Governmental Effort: The Directive observes that “[v]arious government entities possess different roles, responsibilities, authorities, and capabilities that can all be brought to bear on cyber incidents.” The Directive explains that “[t]hese efforts must be coordinated to achieve optimal results” and directs the federal government to partner with State, local, tribal and territorial governments and, as appropriate, international partners, in managing cyber incidents.
  5. Enabling Restoration and Recovery: Under the Directive, “[f]ederal response activities will be conducted in a manner to facilitate restoration and recovery of an entity that has experienced a cyber incident, balancing investigative and national security requirements, public health and safety, and the need to return to normal operations as quickly as possible.”

Concurrent Lines of Effort

The Directive describes three primary, concurrent lines of effort in responding to cyber incidents that affect the private sector, each with its own “federal lead agency.” (When a government agency is the victim, “it shall undertake a fourth concurrent line of effort to manage the effects of the cyber incident on its operations, customers, and workforce”).

Threat Response: Led by the Department of Justice acting through the FBI and the National Cyber Investigative Joint Task Force, threat response activities include law enforcement and national security investigations at the affected entity’s site, evidence collection, intelligence gathering, attributing the attack, and developing and implementing courses of actions to mitigate the immediate threat.

Asset Response: Led by the Department of Homeland Security acting through the National Cybersecurity and Communications Integration Center, asset response activities include providing “technical assistance to affected entities to protect their assets, mitigate vulnerabilities, and reduce impacts of cyber incidents; identifying other entities that may be at risk and assessing their risk to the same or similar vulnerabilities; assessing potential risks to the sector or region, including potential cascading effects, and developing courses of action to mitigate these risks; facilitating information sharing and operational coordination with threat response; and providing guidance on how best to utilize Federal resources and capabilities in a timely, effective manner to speed recovery.”

Intelligence Support and related activities: Led by the Office of the Director of National Intelligence acting through the Cyber Threat Intelligence Integration Center, intelligence support activities include “building [] situational threat awareness and sharing [] related intelligence, [] integrat[ing] analysis of threat trends and events . . . , identif[ying] [] knowledge gaps, . . . [and] degrad[ing] or mitigat[ing] adversary threat capabilities.”

Coordination Architecture for Significant Cyber Incidents

The Directive devotes substantial attention to mechanisms for internal coordination of the government’s response to a significant cyber incident, including enhanced agency coordination procedures; Cyber Unified Coordination Groups, which facilitate such coordination in the context of specific incidents; and an updated National Security Council-chaired interagency Cyber Response Group, which develops and implements national incident response strategies.

Notably, the Directive requires federal representatives of the asset and threat response lead agencies (i.e., the Departments of Homeland Security and Justice) to coordinate their activities with each other and with the affected entity. In doing so, the Directive envisions that representatives from the federal lead agencies may be co-located with the affected entity.

Unified Public Communications

PPD-41 instructs the Departments of Homeland Security and Justice to “maintain and update as necessary a fact sheet outlining how private individuals and organizations can contact relevant Federal agencies about a cyber incident.”

Shortly after the Directive’s release, the Department of Homeland Security and the FBI published a “Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government.” This pamphlet details when companies should consider reporting a cyber incident to the federal government; what they should report; and how they can do so. It also identifies key federal points of contact for both the threat response and asset response functions, specifying which entities can provide the best support for specific needs.

Next Steps and Open Questions

PPD-41 provides greater clarity regarding the government’s approach to cyber incident response, but it also sets the stage for follow-on developments and leaves outstanding questions for private sector entities.

National Cyber Incident Response Plan: While PPD-41 establishes the basic framework for coordinating incident response, it also anticipates further development of specific policies and practices. The Directive’s Annex calls for “the Secretary of Homeland Security, in coordination with the Attorney General, the Secretary of Defense, and [Sector-Specific Agencies, to] submit a national cyber incident response plan to address cybersecurity risks to critical infrastructure to the President,” within 180 days. This plan is to be developed in consultation with “SLTT governments, sector coordinating councils, information sharing and analysis organizations, owners and operators of critical infrastructure, and other appropriate entities and individuals.” Private sector entities that could be affected by this plan may wish to consider whether and how to contribute to its development.

Information Sharing: While the Directive mentions the “complementary roles and responsibilities” of the federal government and the private sector, it does not specify how departments and agencies should share information with victims of cyber incidents. The recent passage of the Cybersecurity Information Sharing Act of 2015 and its subsequent implementation guidance provides a framework for reciprocal information exchanges. (See Mayer Brown’s updates on the bill’s passage, initial implementation guidance and updated implementation guidance.) It remains to be seen exactly how PPD-41 will interact with this established framework and in what particular circumstances information will be shared with private sector entities affected by cyber incidents.

Engagement with Multiple Agencies: While the Directive instructs federal agencies to coordinate their activities with each other and the affected entity, the Directive suggests that private companies still should expect to engage with multiple government actors in the aftermath of a significant cyber incident.

Proactive Engagement: Notwithstanding the Directive’s new coordination mechanisms and acknowledgment of certain private sector equities at stake, companies will still need to determine how to manage their own federal government outreach on cyber incidents. In particular, they will need to consider which federal agency to contact, whether to do so and when to initiate such engagement.