Page 54 - Cyber Warnings
P. 54
analysis of threat trends and events; the identification of knowledge gaps; and the ability
to degrade or mitigate adversary threat capabilities.
For significant cyber incidents, the Federal Government may take these steps even if the
targeted entity is in the private sector.
The incident response will be coordinated through a Cyber Unified Coordination Group or Cyber
UCG, normally consisting of the federal lead agencies identified above, the relevant sector-
specific agency (“SSA”) that typically serves as the primary regulator for the impacted entity,
and private sector entities.
Additionally, the Annex imposes deadlines on federal agencies to complete various action items
within the next three to six months to facilitate the implementation of the Directive, many of
which require that the agencies consult with industry stakeholders.
For example, federal agencies are required to develop sector-specific procedures for incident
response coordination and to develop a national incident response plan for critical infrastructure.
Impact on Critical Infrastructure Operators in the Private Sector
Because many of the requirements of PPD-41 will have to be implemented in the next several
months, the full impact of the Directive remains unclear. However, we anticipate the following
impact on private sector companies involved with critical infrastructure:
Internal incident response plans will need to be updated
We expect that the development of sector-specific incident response procedures to require
private entities to take steps to embed coordination with SSAs into the entities’ incident
response plans.
Increased government involvement with cyber incidents
Because PPD-41 establishes clear responsibilities among federal agencies, we expect
government involvement in the investigation, response, and intelligence gathering activities
related to cyber incidents may be more extensive than it has been in the past.
This may particularly be the case when the government designates a cybersecurity event as
“significant” and thus assembles a Cyber USG to support the incident response. We also expect
agencies to better articulate the types of events that they would view as “significant.”
One potential benefit to private sector companies is that PPD-41 may clarify expectations and
lead to fewer regulator “turf battles” in the wake of an incident. To some extent, government
54 Cyber Warnings E-Magazine – August 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide