Data Protection Report - Norton Rose Fulbright

On July 26, 2016, the White House issued the United States Cyber Incident Coordination Directive (Presidential Policy Directive PPD-41, including an Annex).  The Directive sets forth the principles governing the Federal Government’s response to cyber incidents, including incidents affecting private entities that are part of U.S. critical infrastructure.  The Directive is designed to improve coordination between government agencies and to clarify inter-departmental involvement in response to a cyber incident.

The Directive

The Directive triggers a significant Federal Government role in responding to “significant cyber incidents” and establishes a framework for its response.  The Directive defines a “significant cyber incident” as an incident “that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”

For such “significant cyber incidents,” the Directive establishes lead Federal agencies and an architecture for coordinating the broader Federal Government response to the incident.  Specifically, PPD-41 assigns lead response roles for:

  • Investigation/Information Sharing: The Department of Justice, acting through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force, will lead the “threat response activities,” which include investigative activity, providing attribution, linking related incidents, identifying threat pursuit and disruption opportunities, and facilitating information sharing and operational coordination with asset response.
  • Asset Protection: The Department of Homeland Security will lead “asset response activities,” which include furnishing technical assistance to affected entities, mitigating vulnerabilities, reducing impacts of cyber incidents; assessing potential risks to the sector or region; facilitating information sharing and operational coordination with threat response; and providing guidance on how best to utilize Federal resources and capabilities in a timely, effective manner to speed recovery.
  • Intelligence Support: The Office of the Director of National Intelligence, through the Cyber Threat Intelligence Integration Center, will lead “intelligence support,” which includes building situational threat awareness and sharing related intelligence; the analysis of threat trends and events; the identification of knowledge gaps; and the ability to degrade or mitigate adversary threat capabilities.

For significant cyber incidents, the Federal Government may take these steps even if the targeted entity is in the private sector.  The incident response will be coordinated through a Cyber Unified Coordination Group or Cyber UCG, normally consisting of the federal lead agencies identified above, the relevant sector-specific agency (“SSA”) that typically serves as the primary regulator for the impacted entity, and private sector entities.

PPD-41 also directs federal agencies to take steps to facilitate the implementation of the Directive, including by consulting with industry stakeholders.  Federal agencies are required to develop sector-specific procedures for incident response coordination and to develop a national incident response plan for critical infrastructure.

The Annex contains specific provisions calling for the SSAs to “coordinate with critical infrastructure owners and operators to synchronize sector-specific planning consistent with this directive.”  Likewise, the national incident response plan is to be “developed in consultation with . . . owners and operators of critical infrastructure, and other appropriate entities and individuals.”  We therefore expect the effort to give private sector players an opportunity to have a voice in the government’s development of incident response procedures for their industry.

Our Take

Because many of the requirements of PPD-41 will have to be implemented in the next several months, the full impact of the Directive remains unclear.  We expect sector-specific incident response procedures to require private entities to take steps to embed coordination with SSAs in the entities’ incident response plans.  We also expect agencies to better articulate the types of events that they would view as “significant.”  The Directive emphasizes the need for the government’s involvement in incident response to be efficient and constructive, directing that the government response should take into account the “need to return to normal operations as quickly as possible” when engaging an entity in the wake of an incident.

Finally, the private sector should expect that the Federal Government’s involvement may lead to increased publicity for cyber incidents.  While PPD-41 states that the government will “safeguard details of the incident” and “sensitive private sector information,” it makes clear that the government need only determine that a “significant Federal Government interest is served” by issuing a public statement about the incident before making such a statement.  Although the Directive suggests that agencies “generally will defer to affected entities in notifying other affected private sector entities and the public” and will “coordinate their approach with the affected entities to the extent possible,” organizations must remain conscious that controlling messaging and publicity following a cyber incident will be complicated by government involvement, and the Directive will do little to curtail regulators in this regard.  For public companies, this may have additional implications related to SEC-required disclosures.