July 26, 2016
Earlier this year, the Obama Administration—in recognition of the growing cyber threat from criminals, terrorists, and others who wish to do us harm—released its Cybersecurity National Action Plan.
One aspect of this multi-layered plan was a specific focus on improving cyber incident response. Because the victim of cyber incidents is often a private sector entity, it’s crucial that the private sector understands how the U.S. government will respond and coordinate in the event of a cyber incident impacting their networks, operations, or business.
So today, the Administration released Presidential Policy Directive-41 on U.S. Cyber Incident Coordination Policy, which sets forth principles that will govern the federal government’s response to cyber incidents and designates certain federal agencies to take the lead in three different response areas—threat response, asset response, and intelligence support. Those agencies are:
- The Department of Justice, acting through the FBI and the National Cyber Investigative Joint Task Force (NCIJTF), will be taking the lead on threat response activities.
- The Department of Homeland Security, acting through the National Cybersecurity and Communications Integration Center, will be lead agency for asset response activities.
- And the Office of the Director of National Intelligence, through its Cyber Threat Intelligence Integration Center, will be lead agency for intelligence support and related activities.
As the lead for threat response, the FBI will play a key role in the event of a significant cyber incident, communicating with field-level coordinators on the ground to coordinate an effective, multi-agency response to the incident. Threat response activities include conducting appropriate law enforcement and national security investigative activity, like collecting evidence and gathering intelligence; mitigating the immediate threat; identifying disruption activities; and facilitating information sharing and operational coordination with asset response personnel.