The federal government proposes coordinating its response to cyberattacks with a structure in which agency officials know exactly who should be involved and the responsibilities of each.
A "working agreement" from the U.S. National Security Council sets out ground rules for two new groups of federal security officials that will be called together to handle operations and policy issues whenever there is a significant cyberattack, according to documents detailing the agreement. By naming the members of a Critical Infrastructure Working Group and a Critical Infrastructure Steering Group and detailing their responsibilities, the government has taken a big step toward being able to respond more effectively to incidents, experts say.
"The single most important lesson that people who have been through attacks have learned is that the actions in advance to establish the lines of communication and responsibility levels...are the biggest determination of whether this is a catastrophe or something you get through," said Alan Paller, director of research at the SANS Institute, a security education and research organization in Bethesda, Md.
"We really haven't had a structure, and this would allow us to convene the right folks, to take the correct actions," said John Gilligan, co-chair of the CIO Council's security committee. He will be serving as the representative of the CIOs, the technology users and providers, and working to incorporate a new process the agencies themselves are working on to share cyber incident information, he said.
Membership in the two groups will vary as government employees who focus on the protection of critical infrastructure change. But having a list of key security players launches a process that can be used and learned from over time, said Mark Montgomery, director of transnational threats at the NSC.
In the past year, both the U.S. General Accounting Office and Congress have called for better coordination among the many agencies and organizations involved in federal cyber incident response. As can be seen by just the core organizations in the working group - the National Infrastructure Protection Center, the U.S. Department of Defense Joint Task Force for Computer Network Defense, the Federal Computer Incident Response Capability, the National Security Agency and the U.S. Department of Justice -- members cover all areas of government and represent diverse expertise.
Until now, no formal procedure existed for coordinating this expertise. That has left many agencies vulnerable to incidents such as the May attack of the "I Love You" e-mail virus. Future viruses and attacks could cause even more harm, according to the GAO.
The working group, which sits under the Critical Infrastructure Coordination Group, will come together when there are attacks or "seemingly unrelated cyber events" that affect national security, the national economy, public safety or military operations; in the event of an attack sponsored by another nation or state that affects U.S. security or interests; or in the case of an attack that may require coordination with another nation.
The agreement - designed to be a work in progress - outlines not only who is to be called in the event of a cyberattack, but also their responsibilities, including how to share information on the incident with private-sector response groups and other countries. It also attempts to ensure that each agency makes a valuable contribution to the process, whether that is technical know-how at the National Institute of Standards and Technology or the worldwide reach of the Defense Department.
The steering group will be called into action only to review the analysis efforts of the working group, or to recommend interagency responses to reduce vulnerability and ensure that the appropriate response is taken. But its members will then take the coordinated efforts and information directly to the president and the NSC to enable governmentwide decisions and action, Montgomery said.
The creation of these groups, and efforts at the CIO Council and other organizations to coordinate cyber-incident response, puts federal agencies on much better footing than they were in May, but there is still plenty that can be done and much that must be learned, Gilligan said.
"I don't think we're there yet...but I think we've now outlined the key steps," he said. "We now have some concepts, we now have the processes outlined, and now we have to do the experiencing."