President signs order to improve cyber attack responses
President Obama has released Presidential Policy Directive/PPD 41, establishing principles to govern responses to major federal and private sector cyber attacks.
Although not specifically focused on cyber incidents at healthcare organizations, the directive does recognize the serious impact that such incidents can have on “public health and safety.”
“While the vast majority of cyber incidents can be handled through existing policies, certain cyber incidents that have significant impacts on an entity, our national security or the broader economy require a unique approach to response efforts,” according to the directive. “These significant cyber incidents demand unity of effort within the Federal Government and especially close coordination between the public and private sectors.”
The policy directive covers any cyber incident, establishes lead federal agencies to coordinate responses, and requires the departments of Justice and Homeland Security to maintain updated contact information for public use to report incidents. The Federal Bureau of Investigation also plays a major role in responses, according to the directive.
The document also describes a significant cyber incident or a group of related incidents as those that are likely to demonstrate harm to national security interests, foreign relations, the national economy, public confidence, civil liberties or public health and safety.
The directive spells out five guiding principles covering shared responsibility among individuals, the private sector and government; resource allocation based on risks posed by an attack; safeguarding details of an incident, privacy and civil liberties and sensitive private sector information; generally deferring to affected entities in notifying private sector entities and the general public; coordinating among government entities to achieve optimal results, and facilitating restoration and recovery.
Further, the government will conduct investigations at affected entity sites, provide technical support to protect assets and mitigate vulnerabilities, facilitate information sharing, gather and disseminate intelligence, and coordinate with affected private entities to understand potential impacts of an attack on critical private sector infrastructure.
The directive lists specific certain federal agencies as lead agencies for mitigating three effects of an attack: threat response activities (Justice, FBI and National Cyber Investigative Joint Task Force), asset response activities (Homeland Security and its National Cybersecurity and Communications Integration Center), and intelligence support and related activities (Director of National Intelligence through the Cyber Threat Intelligence Integration Center).
Homeland Security and Justice are tasked with disseminating a fact sheet to aid the private sector in contacting relevant federal agencies after a cyber incident. Numerous coordinating federal agencies have 180 days to implement the new national policy in cyber response exercises.