Select seating at the table

The federal government proposes coordinating its response to cyberattacks

with a structure in which agency officials know exactly who should be involved

and the responsibilities of each.

A "working agreement" from the National Security Council sets out ground

rules for two new groups of federal security officials that will be called

together to handle operations and policy issues whenever there is a significant

cyberattack, according to documents detailing the agreement. By naming the

members of a Critical Infrastructure Working Group and a Critical Infrastructure

Steering Group and detailing their responsibilities, the government has

taken a big step toward being able to respond more effectively to incidents,

experts say.

"The single most important lesson that people who have been through

attacks have learned is that the actions in advance to establish the lines

of communication and responsibility levels...are the biggest determination

of whether this is a catastrophe or something you get through," said Alan

Paller, director of research at the SANS Institute, a security education

and research organization in Bethesda, Md.

"We really haven't had a structure, and this would allow us to convene

the right folks, to take the correct actions," said John Gilligan, co-chair

of the CIO Council's security committee. He will be serving as the representative

of the CIOs, the technology users and providers, and working to incorporate

a new process the agencies themselves are working on to share cyber incident

information, he said.

Membership in the two groups will vary as government employees who focus

on the protection of critical infrastructure change. But having a list of

key security players launches a process that can be used and learned from

over time, said Mark Montgomery, director of transnational threats at the

NSC.

In the past year, both the General Accounting Office and Congress have

called for better coordination among the many agencies and organizations

involved in federal cyber incident response. As can be seen by just the

core organizations in the working group — the National Infrastructure Protection

Center, the DOD Joint Task Force for Computer Network Defense, the Federal

Computer Incident Response Capability, the National Security Agency and

the Justice Department — members cover all areas of government and represent

diverse expertise.

Until now, no formal procedure existed for coordinating this expertise.

That has left many agencies vulnerable to incidents such as the May attack

of the "I Love You" e-mail virus. Future viruses and attacks could cause

even more harm, according to the GAO.

The working group, which sits under the Critical Infrastructure Coordination

Group, will come together when there are attacks or "seemingly unrelated

cyber events" that affect national security, the national economy, public

safety or military operations; in the event of an attack sponsored by another

nation or state that affects U.S. security or interests; or in the case

of an attack that may require coordination with another nation.

The agreement — designed to be a work in progress — outlines not only

who is to be called in the event of a cyberattack, but also their responsibilities,

including how to share information on the incident with private-sector response

groups and other countries. It also attempts to ensure that each agency

makes a valuable contribution to the process, whether that is technical

know-how at the National Institute of Standards and Technology or the worldwide

reach of the Defense Department.

The steering group will be called into action only to review the analysis

efforts of the working group, or to recommend interagency responses to reduce

vulnerability and ensure that the appropriate response is taken. But its

members will then take the coordinated efforts and information directly

to the president and the NSC to enable governmentwide decisions and action,

Montgomery said.

The creation of these groups, and efforts at the CIO Council and other

organizations to coordinate cyber-incident response, puts federal agencies

on much better footing than they were in May, but there is still plenty

that can be done and much that must be learned, Gilligan said.

"I don't think we're there yet...but I think we've now outlined the

key steps," he said. "We now have some concepts, we now have the processes

outlined, and now we have to do the experiencing."