We live in the 21st Cyber Century. I began my career as an FBI Special Agent in the Golden Era of Cyber Crime during a lack of passwords, no defenses to denial of service, pirated software and relatively open networks. It was the Wild Wild West and one that could not fathom of the 21st Century data speeds, data volumes and computing power. Just as the terms and vernacular have evolved in the “western” computer investigations landscape since I began working cybercrime, in what sociologists would characterize as the Information Age, so has our public response in the form of executive orders, directives, commissions and plans. As the Wild Wild West was starting to be tamed, there was Presidential Decision Directive (PPD) 63: Protecting America’s Critical Infrastructure. Fast forward to the 21st Century and we have the Presidential Policy Directive — United States Cyber Incident Coordination (aka PPD-41). This outlines the continuation of the United States Government’s maturity model by streamlining the incident coordination within its monolith of agencies as well as protecting the health and safety of the public through coordination with the overwhelming portion of today’s critical infrastructure owners in the private sector in the event of a “significant cyber incident.”
The currency of today is the information or data housed in our collective systems. No longer is the Department of Defense or the Financial Institutions the main targets of criminals, terrorists, leakers, or nation states. Our interconnected 21st Cyber Century of experts, data repositories and related intellectual property are all at risk: individuals, businesses, non-profits, government and military.
Over the years, I learned that after developing an incident response plan, an organizational test or exercise is crucial in “practicing” for an actual event. As a former Chief of the FBI’s Computer Investigation and Infrastructure Protection Program, I participated in numerous exercises within government and the private sector. These ranged from wireless network providers conducted a mock incident with response and liaison with their local FBI office to a Department of Defense Full-Field Exercise with operational units facing an attack on our infrastructure. I had the pleasure of catching the National Security Agency’s “Red Team” who posed as an adversarial hacking group from a fictitious nation. From these and other experiences, the entities would assess the exercise (from a morning Table-top exercise to a week-long Full-field Exercise) and conduct an After-Action-Report. Although you will probably not be summoned to the Pentagon’s Military Command Center (MCC), you may be in a Mahogany Row somewhere based on your role in your organization, committee or board. If you are new to these types of exercises be prepared to articulate your role and corresponding decision making process. If you are a veteran, impart your wisdom and experience from both your real-world encounters and previous exercises which usually provide constructive dialogue providing new perspectives with learning outcomes for you and your colleagues.
What PPD-41 prescribes is the scope, definitions, principles and concurrent effort of a cyber incident can be transferred to any organization. The “architecture” for major cyber incidents identifies roles and responsibilities that need to be trained, tested and continually improved upon. As the Information Security or Cyber Security profession continues to mature, the Information Security Management entity (e.g. generically named Security Incident Response Team, Crisis Incident Response Team) as defined by NIST, ISO or other body, must utilize exercises and role-based programs to aid in the cost effectives, risk management and organizational resiliency for the present and future incident response coordination.
Finally, the directive outlines the basis for a Cyber Unified Coordination Group (UCG) that can have broad liaison with industry where various existing program such as InfraGard (I program managed in the early years when the program went national), the Information Sharing and Advisory Councils (ISACs) and other fusion centers. Please take my advice and utilize these partnerships while staying focused on protecting your entity, as only stakeholders within an organization can, because only an exercise-trained incident response group will know your network, data assets and organizational cost benefits as well as your leadership team.