New Presidential Directive on Incident Response

Last week, President Obama issued a policy directive (PPD-41) on cyber-incident response coordination. The FBI is in charge, which is no surprise. Actually, there's not much surprising in the document. I suppose it's important to formalize this stuff, but I think it's what happens now.

News article. Brief analysis. The FBI's perspective.

Posted on August 2, 2016 at 6:40 AM • 22 Comments

Comments

DroneAugust 2, 2016 7:16 AM

Wednesday, 12 October 2016, DNC Headquarters: "Quick! Our system is being attacked by unidentified foreign entities! Call up our team of Lawyers and get them started trying to fill-out all those new 'FBI Cyber-Incident Report' forms. Hurry up, before it's too late!!"

system failureAugust 2, 2016 7:20 AM

You can't expect to build weak points into products that you have created vulnerable by design so you can f_ck the rest of the world up the ass and then be surprised when the rest of the world f_cks you up the ass for using the same products.

BruceAugust 2, 2016 10:36 AM

@Patrick,

The DoJ/FBI is in charge of the investigation. DHS is in charge of remediation. ODNI will lead the spooks. The only confusion appears to be yours.

rAugust 2, 2016 11:24 AM

@Bruce,

Is there a reason you're not in yellow?

"The only confusion appears to be yours."

Also, that's a wee bit condescending - no offense - those two things considered: is it too much to state that we have reasonable doubt as to your authenticity?

Dirk PraetAugust 2, 2016 12:33 PM

Ah, the Belgian approach: involve as many agencies as possible so no one feels left out and everyone gets to blame everyone when coordination and communication go horribly wrong.

v00fdjAugust 2, 2016 12:42 PM

@r

Bruce is a common first name.

Or maybe he was impersonating Bruce Willis or Bruce Almighty.

albertAugust 2, 2016 12:52 PM

Just what we need; another layer of bureaucracy. This sort of thing is only exceeded (in complexity) by military command structures.

"...Asset response activities include furnishing technical assistance to affected entities to protect their assets, mitigate vulnerabilities..."

Say, guys, why not 'mitigate vulnerabilities' BEFORE you get attacked? How many times do you need to be slapped upside the head before you raise a hand to stop it? Or have you already suffered brain damage?

Further, why not force Private Entities to secure their systems? Refuse governmental assistance after an attack if they don't comply.

And finally, allow liability claims against PEs for preventable incidents.

Sometimes, you gotta make folks do the right thing.

When kids are allowed to do what ever they want, they grow up spoiled and entitled.

. .. . .. --- ....

AlzarAugust 2, 2016 1:07 PM

These were the kind of things the NSA director was talking about, now formalized through their "FBI brand", this formalization will guarantee that the NSA can gather this kind of information in the future for cybersecurity purposes.

John DittmerAugust 2, 2016 2:41 PM

@albert: Remediating and mitigating millions of devices on government network is an ongoing struggle even in the best of conditions. Even when USCYBERCOM puts out an IAVM, ordering a mitigation or vulnerability within DoD, it can weeks or months before it is done. Besides, cyber incidents can still happen from a variety of other sources such as physical destruction of the infrastructure. There needs to a response plan for the Federal Government to respond and deal with the multiple, often conflicting priorities of preserving evidence for a future investigation vs. getting critical systems back on-line.

unbobAugust 2, 2016 6:44 PM


@John Dittmer

"Even when USCYBERCOM puts out an IAVM, ordering a mitigation or vulnerability within DoD..."

A bit of a nitpick, but CYBERCOM passed that responsibility of to DISA 2 or 3 years ago.

yoshiiAugust 2, 2016 10:36 PM

I have good confidence in the FBI. I think it is a good choice. Although they may be frustrated with dealing with NSA fallout from Stuxnet-style antics blowback, I think the FBI is an appropriate and trustworthy entity these days (as opposed to the Hoover days of yore).
I am thankful for the hard work they do and I think it's better than utilizing a group that is more attuned to "cyberoffense". And I really don't know why people even use the term "cyber" it's kind of a funny word... especially when people talk about "cyberspace", which doesn't exist. But of course the internet does exist. But i digress.

interesting update, anyhow. It's not the first time I've been to the FBI's website.

Peace be with them as well.

PeanutsAugust 3, 2016 4:18 AM

Could it have anything to do with emerging threats targeting elections? Any substantial hinkiness in voting systems tabulation or election night drama could be material cause for a "do over" {unprecedented}.

but what if the hinky goal was not a do over, but a flush of the two current candidates plus a do over? (Movie plot time, add narrative)

Attribution would be near impossible without a forensic gaff, so one would be found, perhaps a discovered iphone to unlock or other smoke and mirror to keep the folks distracted

An rather interesting time for current state of freedom for which systems, and the populace is vastly unprepared let alone any first responders for any response of measurable worth.

Git yer popcorn prepare for the theater, with or without butter?

Peanuts

albertAugust 3, 2016 9:33 AM

@John,
Investigation of when, how, and why should always be done, obviously. 'Millions of devices'? How about one server?
It seems like every time I read about an incident, the method of entry was a known technique. We've got to do whatever is necessary to keep the horses in the barn (which is a lousy metaphor*, because those 'horses' can't be put back).

@Brian,
"...why not force Private Entities to secure..."

---------
* Can anyone think of a better one?

Wasn't the Metaphor a car built by American Motors back in the 70's?

. .. . .. --- ....

Bay of Pigs All-StarsAugust 3, 2016 4:43 PM

Hey, uh, quick question, if your CIA coup plot flops because of mortifying amateurish COMSEC, is that a cyber incident??

http://www.yenisafak.com/en/news/clash-of-kings-qq-used-by-turkey-coup-plotters-for-communication-2499182

It really kind of looks like a II(B). It did harm national security, right, because a lot of high-ranking US clowns got burned and the US turned into even more of a laughingstock, and probably Turkey invokes Article 13 in 3-2-1...

http://www.yenisafak.com/en/local-news/us-commander-campbell-the-man-behind-the-failed-coup-in-turkey-2499245

http://www.yenisafak.com/en/news/cias-clandestine-meeting-in-istanbul-on-coup-night-2499850

But I guess we have to see how this plays out, you know, to find out if Obama fires Brennan and Brennan goes to the Farm and whacks Obama.

rAugust 3, 2016 10:13 PM

@Bay of pigs, All

My apologies, Mr. Pigs for I do not dare click on your links considering the dangers of participating in such discussions and my being a member of a security and privacy site who expresses certain very opinionated views.

https://www.theguardian.com/technology/2016/aug/03/turkey-coup-gulen-movement-bylock-messaging-app

QQ, as I said is Chinese. But the breakdown from The Guardian & Reuters tells a different tale, I wouldn't expect you to click my links either - but from reading your URL it seems there are two different stories.

fajensenAugust 4, 2016 5:34 AM

That will work: The FBI has never, ever, spoiled a terrorist plot they didn't make themselves. Expect lots of "hacker take-downs" from FBI sting operations, instead of filling prisons with pot-heads, we can replace them with "hackers" and keep the prison-industrial scam running at capacity for another 20-25 years, easy.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.