Enable breadcrumbs token at /includes/pageheader.html.twig

When Will the United States Have a National Cyber Incident Response Plan?

Previous efforts are languishing in limbo.

As the growth in the capability and sophistication of cyber bad actors continues to threaten national and economic security in the United States, confusion reigns and a lack of clarity exists as to who is in charge and how to deal with a significant cyber event that could become an incident of national or even global consequence. No strategic blueprint provides high level direction, nor do any operational plans articulate roles and responsibilities for government, industry and other stakeholders during various thresholds of escalation throughout a significant cyber event. To this day, the United States does not have an approved national cyber incident response plan that provides documented, predictable and sustainable procedures and protocols for addressing what is characterized as one of the most serious threats facing the safety and security of our nation. It is more than a fair question to ask: How can that be and what are we doing about it?

Many working in the cybersecurity realm today are not aware that efforts actually began in 2008, when industry leaders in the private sector critical infrastructure community learned the Bush Administration was considering the creation of such a plan but wholly within government. Given the fact that approximately of 80 percent of the nation’s critical infrastructure is owned, operated or controlled by the private sector, a number of industry leaders objected to the notion of a government-only effort and instead advocated for a collaborative approach between government, industry, and other stakeholders.

After meeting with leadership from the National Security Staff at the White House to discuss the most productive approach, participants agreed that a joint effort was the most appropriate. Thus, in October 2008 a team began to develop a national cyber incident response plan (NCIRP). A group of talented, knowledgeable and dedicated subject matter experts from across government, the private sector critical infrastructure owner and operator community, and other stakeholders set off on a path to create and deliver a draft plan to the White House. Using a collaborative, consensus-based approach, the participating subject matter experts indeed did deliver a draft NCIRP to the White House in the Fall of 2009.

This draft NCIRP was a strategic high-level blueprint that outlined the framework for how stakeholders would work together to mitigate, respond and recover from a significant cyber event with national or even global consequences. At the time, it was anticipated the draft NCIRP would be reviewed and ultimately approved by the White House for adoption and utilization. The Working Group at the time also anticipated that shortly thereafter, efforts would be launched to develop operational playbooks to complement and put the “meat on the bones” of the NCIRP. Those operational playbooks would provide more detail around the roles and responsibilities of industry partners, government departments, agencies, interagency entities and other contributing stakeholders that would have an operational role during any identified event that would trigger activation of the NCIRP and during thresholds of escalation.

The playbooks also would include a description of procedures and protocols for gathering, analyzing and de-conflicting incident ground truth to achieve near-real-time situational awareness to inform risk management decision making. They would articulate the roles and responsibilities of various government bodies such as the National Infrastructure Coordinating Center (NICC), the National Cybersecurity and Communications Integration Center (NCCIC), the National Operations Center (NOC), the Cyber Response Group (CRG), the National Threat Operations Center (NTOC) and many more. The private sector would learn where to plug in to collaborate on achieving timely and actionable situational awareness and implement the appropriate measures to mitigate, respond and recover from a significant cyber event.

These playbooks would encompass thresholds of escalation from steady state up to and including an attack that threatens national security, property and human life. The NCIRP and the associated operational playbooks would be tested periodically through national-level cyber exercises intended to identify gaps and needs for continuous improvement.

After the draft NCIRP was delivered to the White House in the Fall of 2009, it was then subjected to a federal interagency review and comment process. In March 2010, a draft interim NCIRP was released, but not approved, and subject to ongoing review by the Obama administration. It was updated in September, but still not finalized. No projected date was identified for when the plan would receive final approval and adoption.

More than five-and-a-half years later, that document continues to remain in draft interim status with no further review or consultation with industry or stakeholders outside of government. The draft interim NCIRP was intended to be tested during a Tier-1 national level exercise in 2012, but even that effort faltered because of the uncertainly around the plan’s draft interim status and a totally unrealistic scenario created by government for the exercise.

So, as of today, no approved plan exists for how the nation will respond to a cybersecurity event that may have national or even global consequences. To date, there is a lack of clarity around roles and responsibilities of various government departments, agencies and organizations and how they will or will not work with industry—specifically the private sector owners and operators of the nation’s critical infrastructure—during a time of cyber crisis. It is unclear who is in charge or has the responsibility for leading efforts to mitigate, respond to and recover from a cyber event that may include significant damage or disruption to data, networks, systems and critical infrastructure such as power, transportation, water, communications, information technology and more—or even injury or death. It is not even clear when or at what level of escalation a cyber event falls within the jurisdiction of the Department of Homeland Security or when it might have sufficient national security implications to fall under the purview of the Department of Defense.

Recently, it has been reported that the administration is working on a directive regarding a successor NCIRP. No details or timeline have been provided, nor does it appear that anyone from industry or representatives from any other affected stakeholders outside of government have been invited to participate in crafting whatever the intended directive will be.

It remains a mystery as to what happened to the draft NCIRP that was developed in a joint, collaborative effort between government, industry and other stakeholders, which was delivered to the White House in 2009 for review and approval. It never has received final approval.

As of now, it also is a mystery as to what may or may not be going on within the government to move forward with a strategic plan and accompanying operational playbooks to address a whole-of-nation response to a cyber event with national consequences.

It is unacceptable that the nation has not progressed to develop and adopt a set of documented, predictable and sustainable policies, procedures and protocols for responding to a major cyber attack against our nation. It is a dangerous notion to think that we will simply figure it out while it is going on. With the advent of cyber-physical systems and the explosion of the Internet of Things, this challenge is exacerbated further.

Accordingly, it is way past time to seize an opportunity to engage a group of government, industry and stakeholder subject matter experts to build on previous work, to revise and update as necessary, to deliver an NCIRP that includes a strategic framework and associated operational playbooks through a joint, collaborative and consensus-driven process. That deliverable will provide a documented, predictable and sustainable plan for mitigation, response and recovery from any cyber event with a national or even global consequence.

An NCIRP is an essential arrow in our national quiver of cybersecurity risk management and making our nation safer and more secure. This needs to be a priority now.

Robert B. Dix Jr., is the vice president, Global Government Affairs and Public Policy, for Juniper Networks.