September 13, 2016
A U.S. presidential policy directive will treat companies targeted by cyberattackers as victims of a crime – and not automatically at fault – as the government looks to create an environment conducive to sharing information on cyberattacks, according to a former official with the U.S. Federal Bureau of Investigation (FBI).
The Presidential Policy Directive 41 (PPD 41) on United States Cyber Incident Coordination, signed July 26 by President Obama and now in effect, establishes guidelines for how the U.S. federal government will respond to cyberattacks launched against the public and private sectors.
This includes U.S. companies across a number of industries, including oil and gas. The cybersecurity risks that oil and gas companies face continue to grow, according to the 2016 BDO “Oil & Gas Risk Factor” report. Risks associated with data breaches have grown from just 12 percent in 2012 to 74 percent in 2016, with cybersecurity proving to be a rapidly moving target as bad actors evolve and leverage increasingly sophisticated hacking methods, BDO stated in the report. BDO is an accounting and consulting firm that provides services to over 400 publicly traded domestic and international clients.
“Cyber incidents are a fact of contemporary life, and significant cyber incidents are occurring with increasing frequency, impacting public and private infrastructure located in the United States and abroad,” the White House said in a July 26 press statement. “While the vast majority of cyber incidents can be handled through existing policies, certain cyber incidents that have more significant impacts on an entity, our national security, or the broader economy require a unique approach to response efforts,” the White House stated.
PPD 41 designates lead agencies for government action in terms of responding to a threat, protecting an organization’s assets, intelligence gathering and analysis, and restoring operations, according to an August 2016 analyst note by BDO Consulting. It also establishes principles to guide government response, establishes a three-tiered architecture to coordinate the response for significant cyber incidents at a policy, operational and field level, and a shared framework for evaluating and assigning a level of severity to an incident.