August 15, 2017 – Federal Government Incident Response

TLP White

Policy Analysis –

 This week, we will look at incident response policy. After all, August seems like a good month to revisit incident response plans. This will be the first stage in a multi-part series – today we will lay the ground work by reviewing how the federal government organizes itself to support cyber incidents that impact critical infrastructure. In future weeks, we will look at regulatory requirements under HIPAA and other statutes, as well as more closely examine the role H-ISAC plays in incident response within the health care industry.

In 2016, the federal government released a policy to formalize incident response processes. Presidential Policy 41: United States Cyber Incident Coordination (PPD-41, for short) established a definition of cyber incidents, committed the government to core principles, defined different lines of effort, and created new coordinating structures.

To help clarify roles and responsibilities, the government came up with the concept of “concurrent lines of effort,” which would all be activated when responding to a significant cyber incident. Threat response (Led by FBI) is the work done to mitigate the threat, whether it be through law enforcement or disruptive operations. Asset response (led by DHS) focuses on defending IT assets and restoring services. This can involve sending technical staff to organizations that have been hacked, as well as analyzing and sharing information to limit impact within a firm or across a sector or region. Intelligence support (led by ODNI) includes building and sharing awareness of the threat. Business response is a fourth line of effort that is the responsibility of the victim of the attack. In the case of an attack against critical infrastructure, the agency responsible for the relevant sector will be responsible for serving as the federal coordinator with that entity. In the case of the healthcare sector, that’s HHS.

When a significant cyber incident occurs, two coordinating structures are automatically established. At the base level, a field-level coordination group will be established by the federal personnel that is in communication with a private entity. This is meant to enable a single federal voice and prevent confusion. A level up from the field, a Unified Coordination Group (UCG) will be formed. This will include senior cybersecurity officials from the agencies leading each line of response, as well as representatives from other required agencies. The CIO or CISO of a victim company, or the leadership of a relevant sector ISAC, might be invited to join this group.

If the UCG deems it necessary (or cabinet officials decide to intervene), a Cyber Response Group (CRG) will be formed to lead coordination out of the White House. The CRG is technically chaired by the President’s Homeland Security Council (currently Tom Bossert), but leadership may be deferred to the NSC Cyber Coordinator (currently Rob Joyce). This group is charged with ensuring that any risk to national security is fully considered and that necessary resources are deployed.

Read full blog

This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of H-ISAC.