Yesterday, the White House released a new policy document on the management of cyber incident response. The document, Presidential Policy Directive (PPD) 41, captures over a decade of lessons learned on how federal agencies respond to cyber incidents. It is clear about what federal agencies will do (as well as what they will not do) and sets up a series of mechanisms for coordinating federal action with private companies.
It fixes long-standing problems in Federal response policy, formalizing the “bubble chart” and creating unified coordination groups to coordinate with private entities and state and local governments based on what works for responding to real world disasters.
Unfortunately, nobody cares because the White House also released a Cyber Incident Severity Schema that looks like the ill-fated and often-mocked color-coded Homeland Security Advisory System and the twitterverse is all abuzz. So, instead of getting into the importance of the new presidential policy, let’s take a minute to understand why the schema is not the homeland advisory system’s “spiritual successor for hacking.”
Believe it or not, the federal government does every once in a great long while realize that something does not work and fixes it. The Obama administration eliminated the Homeland Security Advisory System because national alert levels simply were not useful. Raising the alert level to orange because of a bomb threat to the financial sector in New York would cause seaports on the West Coast to burn overtime for guard patrols. Recognizing this problem, the Department of Homeland Security (DHS) replaced it with the National Terrorism Advisory System to provide specific and actionable information to the public when such information exists.
For cyber threats, there are already multiple similar systems used to convey government information to the public and to constituency groups including US-CERT alerts and joint intelligence bulletins from the Federal Bureau of Investigation (FBI) and DHS released to select groups. The Schema does not replace or augment these systems.
All the Schema does is create a way to quickly convey the severity of an incident to senior government officials. The press statement and the Schema document are clear that it is for internal government use: “a common framework within the federal government for evaluating and assessing the severity of cyber incidents and will help identify significant cyber incidents to which the PPD’s coordination procedures would apply.”
In government, I saw first-hand the need for this kind of easy to understand rating of an incident’s severity. A breaking headline on MSNBC can easily send an agency head into a tailspin. Conversely, practitioners who routinely deal with cyber incidents can become inured to cyber threats and not move quickly to respond. Being able to use a simple and easily understood level system is just a common sense thing to do when a dozen or more agencies need to be on the same page.
I can guess that the team that developed the schema probably thought about ways to avoid using colors. I can almost guarantee that the White House debated not releasing it because they knew that the color-coding would be mocked. Yet in the end, they decided to do both because they were the right things to do.
Nobody ever gets confused about whether green or red is worse in a color hierarchy (numbers can go either way—DEFCON 1 and a category 5 hurricane are both the highest in their respective fields). And even though it is quite possible the public may never see the category rating of a cyber incident, releasing the schema is in the public interest. It helps explains the context for the PPD. Private companies may want to adopt it. At a basic level, there is no reason to make Electronic Frontier Foundation go through the process of a freedom of information act request to get it.