Enable breadcrumbs token at /includes/pageheader.html.twig

A National Cyber Event Requires Clarity for Roles and Responsibilities

The United States is long overdue for a formal plan that codifies these essential requirements.

With the increasingly complex, dangerous and sophisticated cyber risk environment confronting the public and private sector today, responding to a significant cyber event with an ad hoc approach could result in a confusing and disjointed effort generating a potentially damaging outcome. It is imperative to have clarity and predictability around the various roles and responsibilities necessary to address any cyber event that may reach a level of national consequence or even trigger a national defense response.

Threat actors have evolved from script kiddies to various degrees of criminal activity, activist groups, nation states and even terrorist organizations. The capabilities and level of sophistication of adversaries today cause stakeholders and decision makers to examine cyber risk management through a magnified lens in order to improve the protection of information, data, bank accounts, credit cards, intellectual property, business secrets and critical infrastructure functions across the United States and around the world.

In 2008, the Bush administration called on the Department of Homeland Security to coordinate the development of a National Cyber Incident Response Plan (NCIRP) that would articulate a strategic approach to cyber incident response and consequence management. The NCIRP would be accompanied by a series of operational playbooks that would define the various roles and responsibilities across the public and private sectors during evolving thresholds of escalation of a cyber event that could become an incident of national or even global consequence.

A wide range of stakeholders came together, including senior government officials from a variety of federal departments and agencies as well as private sector subject matter experts from critical infrastructure owners and operators. They joined other participants who all contributed to a robust effort to draft a plan for a strategic approach to this increasingly difficult challenge. The collaborative engagement brought together a wide range of expertise and perspective from experienced professionals committed to improving America’s critical infrastructure protection, cybersecurity and resilience. The collaboration included intense discussion and debate, research and writing driven by communication and coordination among stakeholders to achieve a consensus that produced a draft version of the NCIRP.

That product was delivered to the White House in 2009. At the time, it was fully anticipated that work on the supporting operational playbooks would be convened soon thereafter. However, that important work has not yet been initiated.

It was reported to stakeholders that the draft NCIRP was advanced into a federal interagency review process. With no further review or feedback from the industry or other non-governmental contributors, a draft interim document was released by the White House in 2010. Five years later the NCIRP remains in a draft interim status with little discussion on when or if that document will be updated to reflect the evolving cyber risk environment we face today and beyond.

Accordingly, many questions remain about what happens if we experience a cyber event that can produce national consequences or impact. For example:

Which federal agency is in charge if a major national cyber event occurs in the United States? Is it the Department of Homeland Security? Is it the FBI? Is it the Defense Department? Is it the White House National Security Council? Is it all of them? Additionally, what are the characteristics and attributes of an event that would determine the handoff from the Department of Homeland Security to the Defense Department?

It seems reasonable that in 2015, there ought to be clarity around how the thresholds of escalation will be managed and what the various roles and responsibilities of federal government entities should entail. This includes how industry, especially critical infrastructure owners and operators, will contribute to achieving timely, reliable and actionable ground truth and situational awareness to inform the decision making process about how best to mitigate, respond to or recover from a significant national cyber event. That process should be clearly understood, predictable and tested periodically.

These are not new questions. They have been raised during national-level cyber exercises dating back to 2006 and most recently in 2012. Planning is underway for Cyber Storm (CS) V next year. CS V would be a great opportunity to test the progress in how we work together to achieve improved national cybersecurity and resilience.

As the debate continues across Congress, the administration and the broad stakeholder community about basic cybersecurity risk management requirements, it is time to move beyond a draft interim NCIRP and finalize a true National Cyber Incident Response Plan. This plan would provide a strategic blueprint and complete the necessary operational playbooks to provide clarity about how government and industry will work together. Given the growing potential threat of a cyber event with national impact, the nation needs a clear understanding of the roles and responsibilities for various government agencies and entities, along with a documented engagement model for information sharing, analysis and collaboration with private sector partners and other stakeholders to meet the growing cybersecurity challenge.

We can get to work on this tomorrow. So, let’s get to it.

Robert B. Dix Jr., is vice president, global government affairs and public policy for Juniper Networks.