Mark Collins – President Obama Issues Cyber Directive

Trying to get the country’s act together–but how well will things work, especially with the private sector?

In a major cyber-hack, whom do you call? The White House spells it out.

President Obama approved a new directive Tuesday [July 26] that spells out for the first time in writing how the government handles significant cyber-incidents.

The directive lets the public know which agency handles what, answering an oft-heard question after a breach: Whom do I call for help?

The administration also for the first time revealed how it grades the severity of an event — and how it determines what is significant.

The directive comes as the administration is grappling with its latest major cyber-incident: the Russian hack of the Democratic National Committee’s computers and the suspected release by the Russians of the embarrassing DNC emails that appeared Friday on the anti-secrecy site WikiLeaks, days before the Democratic National Convention was to begin in Philadelphia [see “US Election Cyber Security Mess: Democrats, the Bear, the Donald, Whatever“].

This incident will certainly test the new directive, as officials are still weighing how severe the breach is. To be considered significant, an incident must be likely to result in at least a “demonstrable impact” to public health or safety, national security, economic security, foreign relations, civil liberties or public confidence.

[Clinton campaign — and some cyber-experts — say Russia is behind email release]

“We are in the midst of a revolution of the cyberthreat — one that is growing more persistent, more diverse, more frequent and more dangerous every day,” said Lisa Monaco, Obama’s adviser for homeland security, at a conference Tuesday at Fordham University.

Monaco also said the scale of the government’s response will be based on an assessment of the risks posed by an incident. “How might it affect our national security or economy? Does it threaten the life or liberties of American people?”

The directive has been in the works for at least two years, but it reflects the experience of almost eight years of dealing with increasingly complex and challenging cyber-incidents. The last four have been particularly trying.

Last year, officials discovered that the Chinese had breached computers at the Office of Personnel Management, exposing the data of 22 million current and former federal employees and their families. The year before that, North Korean hackers disrupted the network of Sony Pictures Entertainment, deleting files and disabling computers, uploading unreleased films to the Internet and leaking embarrassing emails. It was all an apparent effort to dissuade the studio from releasing a satirical film depicting the assassination of the country’s supreme leader, Kim Jong Un…

The White House has come up with a severity scheme ranging from Level Zero for an inconsequential event to Level 5 for an emergency — or an attack that poses an “imminent threat” to critical systems such as the power grid, federal government stability or people’s lives. Level 2 is reserved for an incident that may affect public safety or national security. Level 3 moves into the realm of significant, for high-severity events that are likely to have a “demonstrable” impact on public safety or national security…

[See how cyber-incidents are assessed]

There has been no known incident that would be considered a Level 5, senior officials said. The suspected Russian cyberattack on Ukraine’s electric grid in December that caused widespread power outages probably would have been a Level 4 — a “severe” event that likely would result in “significant” harm to public safety or national security — if it had happened in the United States, the official said…


Officials within the administration of President Barack Obama, a Democrat, said the guidelines fall short of describing how Washington should hit back against significant attacks that do not kill anyone but cripple an electrical grid or the financial system.

Three current U.S. national security officials, who spoke on condition of anonymity, said that so far the administration has not defined the point at which a cyber attack justifies a military response [see from 2015: “US Cyber: Defence and Now Offence?“].

“Is it worse than what a bomb could do, and if we decide it is, what’s the appropriate response?” one of the officials asked.


The directive defines a significant cyber incident as one likely to harm national security or economic interests, foreign relations, public confidence, health safety or civil liberties, according to a White House fact sheet

Obama signed an executive order in April 2015 that allows for the U.S. to levy economic sanctions directly in response to cyber attacks. That authority has never been used.

The new directive largely codifies existing practices and norms, rather than changing policy, said Ari Schwartz, a former top cyber security adviser at the White House who is now with the law firm Venable.

The Department of Justice, working through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force [within the FBI], will be the lead agency for investigating criminal intrusions or those that could affect national security, according to the policy.

The Department of Homeland Security will serve as the lead contact in helping companies respond to breaches of their networks. Intelligence agencies will be in charge of gathering information in order to identify who is behind an attack…

As for Canada:

Offensive Cyber Capability for Canadian Forces? Is the New Government Cyber Serious?

Mark Collins, a prolific Ottawa blogger, is a Fellow at the Canadian Global Affairs Institute; he tweets @Mark3Ds


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s