Cyber-Ghostbusters: The US’s Risk-Based Cybersecurity Response
Goofy blog title aside, last week’s
Presidential Policy Directive about cybersecurity coordination and the release of the
new Ghostbusters film actually go hand in hand according to some recent media coverage.
The Directive from President Obama is significant since it answers most of the questions that security experts have been asking for many years. Whether at ISAC events, client meetings, or security industry tradeshows, this topic has been mentioned numerous times, with financial services organizations, in particular, concerned about how to get the attention of law enforcement, when to ask for assistance from law enforcement, and what constitutes a national security incident (especially one having to do with critical infrastructure). Specifically, reading this Directive makes it worth thinking about the following elements:
Not Just for the Public Sector: The public & private sectors are both equally at risk here - everyone now concedes that. The recent data breaches, security incidents, and other snafus at OPM, Sony, the DNC, Target, and Anthem are clear indications that this problem impacts every industry, state, and type of organization. “Security through obscurity” no longer applies. As the Directive
states [PDF], “These significant cyber incidents demand … especially close coordination between the public and private sectors.”
Overlap Among Clients: Similar to the regulatory confusion that banks’ experienced, this Directive is meant to reduce the amount of confusion experienced by organizations that are trying to bring legitimate problems to the attention of the US cybersecurity and law enforcement communities. Hopefully, this Directive will make the process smoother and faster.
What is “Critical Infrastructure”?: Critical infrastructure is mentioned only three times in the Directive, but nonetheless benefits from the clear definition that differentiates between a “Cyber Incident” and a “Significant Cyber Incident.” The former is defined as a vulnerability, procedure, system, or control that could be exploited, while the latter reflects a situation that is “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States.” This brings about some interesting questions. If Google, Facebook, or Amazon were to somehow disappear or become temporarily inaccessible, would that be a significant critical infrastructure incident? What about a school district or large hospital? Or a payment processor or settlement clearing house no one has heard of that provides critical support to our retail payments or capital markets infrastructure?
Comparisons from Other Realms: In many ways, if viewed from a historical perspective, this new Presidential Policy Directive cyber coordination has a lot in common with other responses to previous US crises. For instance, after 9/11, the creation of the TSA and its
public warning system is one relevant example of this. Another is the way in which national parks and forests
post warnings to visitors. Lastly, this might also be compared with the way in which lifeguards
warn the public about strong waves and dangerous swimming situations. In short, this collaboration and effort to rank cybersecurity incidents is all in normal course of the development of this problem to mainstream society.
Here’s my advice: Look at the Directive and understand how it benefits you and your organization. Learn how the different federal agencies are attempting to provide a roadmap and consider using it as part of your overall risk management and security framework before the next incident occurs.