BDO Knows Cybersecurity Alert - August 2016

August 2016

New Presidential Policy Directive on Cyber Incidents Clarifies the Government’s Responsibilities and Improves Coordination 

Download PDF Version

The severity of cyberattacks is a growing concern for both the public and private sectors, with high-profile institutions like J.P. Morgan, Sony, Anthem and the government’s Office of Personnel Management (OPM) experiencing major breaches in recent years. What kind of responsibility does the government have to help resolve these issues?
 
To provide greater clarity about the federal government’s role, the White House recently issued a Presidential Policy Directive (PPD) on U.S. Cyber Incident Coordination. The PPD, which has been in development for years, is a culmination of best practices and lessons learned from responding to major cyber incidents and other related issues, such as disasters and terrorism. Private sector input was critical to informing the directive. BDO and our own John Riggi, a highly decorated veteran of the Federal Bureau of Investigation (FBI), proudly served as an official private sector validator.
                                                

Summary

On July 26, 2016, President Obama signed the PPD, codifying the policy that governs the federal government’s response to “significant” cyber incidents. Key elements of the PPD include:
  • Designated lead agencies for government action, broken into four categories: (a) responding to the threat, (b) protecting the organization’s assets, (c) intelligence gathering and analysis, and (d) restoring operations.
  • Five principles to guide the government’s response to a cyberincident, emphasizing the importance of shared responsibility and coordination.
  • A three-tiered architecture to coordinate the government’s response to significant cyber incidents at a policy, operational and field level.
  • A shared framework for evaluating and assigning a level of severity to a cyberincident.
The schema in the graphic below will be used across federal agencies and departments to define the severity of a cyberincident and ensure there is a shared sense of urgency and action. Incidents at level 3 or above are considered “significant” and trigger the PPD’s coordination guidance.
 
Cybersecurity-Graphic.png
Source:  White House
 
A Unified Coordination Group (UCG) will be created when a significant cyber event occurs, involving executives from each lead agency participating in the effort, as well as any state-specific agencies and relevant private sector entities. The group’s purpose is to coordinate the development, prioritization and execution of cyber response efforts, improving information sharing and communication between all parties including the affected company.
 

BDO Insights

The PPD delivers on the need for the federal government to achieve a more coordinated, integrated and consistent response to significant cyber incidents, and offers clarity on what constitutes their involvement.
 
“Significant” cyber threats—those that pose at least a demonstrable impact on public health or national or economic security—require greater public-private sector cooperation. Both parties face similar adversaries, requiring a “whole of nation” approach to adequately respond to security-related issues. The PPD aims to foster an improved working relationship between the two parties, putting into place measures that underscore the treatment of the affected companies as victims in need of government assistance, rather than corporate offenders, such as:
  • Improving transparency around how the government handles these matters, who is in charge and when they will step in.
  • Assigning the FBI as a lead agency that the private sector can turn to for help.
  • Safeguarding details of the incident and sensitive private sector information.
  • Coordinating with the affected company to facilitate recovery and minimize interferences so that operations can resume as quickly as possible.
It’s important to note that this victim model doesn’t absolve private sector companies from all regulatory liability or preclude law enforcement from sharing relevant information with regulators. However, companies that proactively contact and cooperate with law enforcement often receive favorable treatment.

Building on the provisions in the Cybersecurity Information Sharing Act (CISA) that was signed into law in December 2015, bi-directional information sharing between the private and public sector is a key part of the PPD. CISA provides certain regulatory protections to encourage private sector companies to share information about major security threats with the government.
 
The private sector will be key to helping the government implement this PPD and informing how it will continue to evolve.                                                        
 

For questions related to matters discussed above, please contact:
 
John Riggi
Technology Advisory Services Managing Director and Head of BDO’s Cybersecurity and Financial Crimes

Shahryar Shaghaghi
Technology Advisory Services National Leader and Head of International BDO Cybersecurity