During a lighthearted moment in a serious conversation, Howard Schmidt, cyber security advisor to multiple presidents, told a Wall Street Journal interviewer that relying on a government agency as your primary backstop during a major cyber security breach is akin to calling Ghostbusters: you might not get the help you need when you need it.
Joking aside, the question of whom to call was a real one, posed to a group of CEOs during a cyber-attack simulation exercise. Unfortunately none of the group could answer with certainty. In fairness to the CEOs, “who you gonna call” is a loaded question because the agencies themselves lack clarity on this issue.
On its website, the Department of Homeland Security (DHS) says that the Office of Cybersecurity and Communications (CS&C) is responsible for enhancing the “security, resilience, and reliability of the Nation’s cyber and communications infrastructure.” A branch of this organization, the National Cybersecurity and Communications Integration Center (NCCIC), is described as a “24x7 cyber situational awareness, incident response, and management center that is the national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement.”
Sounds like the place to call – right? Unfortunately, information on how to contact these organizations was not readily apparent on their web pages. A generic set of cyber incident reporting forms appears on a different DHS web page. But such forms may not trigger the immediate response needed in case of a breach – and they don’t specify criteria or severity required to gain immediate DHS attention.
Adding to the confusion, a quick check of various agency websites yields what seem to be competing pitches around cybersecurity incident response. The Federal Bureau of Investigation’s (FBI) website has a section on Cyber Crime which explains that the FBI “leads the national effort to investigate high-tech crimes, including cyber-based terrorism, espionage, computer intrusions, and major cyber fraud.” The United States Secret Service has an Electronic Crimes Task Force (ECTF). The ECTF “prioritizes investigative cases that involve electronic crimes and provides support and resources to field investigations that meet criteria including; significant economic or community impact, use of schemes involving new technology, participation by organized crime or transnational organizations.”
One last chapter in this saga may provide light at the end of the tunnel. In late February, the government announced the creation of another organization – the Cyber Threat Intelligence Integration Center. The group, which will assist the NCCIC, will be focused on “connecting the dots” for cyber threats to the nation and cyber incidents affecting the U.S. It will also assist relevant agencies in investigating, mitigating and preventing incidents. Early details specify that it will not interact directly with private sector companies; however, it may eventually provide the coordination and clarity necessary to know where to turn for help – in the indeterminate future.
Bottom line? You don’t want to try to meet any of these entities for the first time during a cybersecurity incident. And you definitely don’t want to leave prevention, detection or response completely to the vagaries of agencies with unclear roles and competing interests. The best solution is preparation and if cybersecurity is not already a C-level priority, it should be.
Some organizations and government agencies are gaining a whole new level of insight into threat detection and prevention by introducing big data and behavioral analytics into the cybersecurity toolset. If you would like to know more check out this research by IDC.