Once upon a time, when presidential politics were more sedate, the leader of the free world quipped that the nine most terrifying words in the English language were “I’m from the government and I’m here to help.” While not everyone agrees with the Gipper on that count, skepticism of government has only grown since he uttered those words. Those skeptics are likely to view the latest policy directive from the current president as the bureaucratic equivalent of rearranging deck chairs on the Titanic.
Presidential Policy Directive 41 (PPD 41), issued in July, establishes principles for how the U.S. government will respond to cyber incidents — including incidents on private sector networks. Of course, the government has been responding to cyber incidents on private networks for years — and to be fair, the owners of those networks are often more relieved than terrified by the assistance of federal employees. But that assistance has hardly been seamless. Multiple federal agencies have responsibilities for cybersecurity, creating a recipe for an excess of bureaucrats and a shortage of action when it comes to incident response.
PPD 41 is intended to fix that. It defines swim lanes for the FBI, the Department of Homeland Security, and the Office of the Director of National Intelligence respectively, to focus on threat response and investigation, asset protection and recovery, and intelligence support. It also establishes a federal entity for coordinating the response whenever two or more federal agencies are involved. These are all straightforward, common sense measures that one would expect the federal government to have already established. They are also the kind of measures that government often fails to implement effectively, so the real test for PPD 41 lies in the future, when agencies responding to an incident adhere to (or disregard) PPD 41’s guidance. Until then, government skeptics are certainly entitled to their pessimism.
This is true of most incident response plans: their true value is only revealed when put to use. And skeptics notwithstanding, the fact that the federal government has developed and codified its own plan is a positive step. CrowdStrike encourages all organizations to develop plans of their own as well, and there’s plenty of good guidance out there.
For organizations that do not have existing plans, PPD 41 sets a good example for what to include in an IR plan. It begins by establishing the principles that should guide the government’s incident response and goes on to define the activities involved, identify the parties responsible, establish a structure for coordinating those parties’ actions, and outline any preparatory actions required. Of course, the federal government’s approach to IR is a bit different from most organizations. So while PPD 41 is organized around threat response and investigation, asset protection and recovery, and intelligence support, most organizations choose to focus their plans on prevention, detection, response, and recovery. Many organizations also include metrics in their plans for measuring the efficacy of IR activities. (NIST offers helpful guidance for what to consider when developing a plan.)
For organizations that already have plans, particularly organizations that might anticipate any federal involvement in their cyber incident response, PPD 41 presents an opportunity to update those plans. One simple update would be to revise existing plans to identify the federal agencies that may participate in an incident and their respective roles as defined under PPD 41. If an organization doesn’t already have relationships with those agencies, it may be prudent to establish those relationships and revise incident plans to identify the appropriate points of contact. In CrowdStrike’s experience, coordination with federal agencies typically goes more smoothly when corporate responders are already familiar with the people in the local FBI field office. Another update might involve preparing for the possibility that government involvement could lead to public disclosure of an incident. PPD 41 establishes that government responders may issue a public statement about an incident if doing so serves “a significant federal government interest,” even if it goes against the wishes of the affected organization. Public relations managers should be forewarned.
Developing a plan is an important step, but it is just one part of preparing for cybersecurity incidents. Once an organization develops a plan, it must ensure the people who use it understand the plan, conduct exercises to test the plan’s efficacy, and revisit and revise the plan at regular intervals.
To find out more about the proactive services offered by CrowdStrike, please visit our proactive services page.