NEW YORK — President Obama approved a new directive Tuesday that spells out for the first time in writing how the government handles significant cyber-incidents.
The directive lets the public know which agency handles what, answering an oft-heard question after a breach: Whom do I call for help?
The administration also for the first time revealed how it grades the severity of an event — and how it determines what is significant.
The directive comes as the administration is grappling with its latest major cyber-incident: the Russian hack of the Democratic National Committee’s computers and the suspected release by the Russians of the embarrassing DNC emails that appeared Friday on the anti-secrecy site WikiLeaks, days before the Democratic National Convention was to begin in Philadelphia.
This incident will certainly test the new directive, as officials are still weighing how severe the breach is. To be considered significant, an incident must be likely to result in at least a “demonstrable impact” to public health or safety, national security, economic security, foreign relations, civil liberties or public confidence.
The implications of the hack — and the administration has not publicly blamed it on Moscow — are still unfolding. Officials have not determined, for instance, whether Russia is truly behind the WikiLeaks release. Democratic officials have accused Moscow of trying to influence the outcome of the U.S. election.
Such an operation would represent a novel threat for Washington. But White House officials have noted the evolving challenge of cyberthreats, be they from foreign governments, hacktivists, criminals or terrorists.
“We are in the midst of a revolution of the cyberthreat — one that is growing more persistent, more diverse, more frequent and more dangerous every day,” said Lisa Monaco, Obama’s adviser for homeland security, at a conference Tuesday at Fordham University.
Monaco also said the scale of the government’s response will be based on an assessment of the risks posed by an incident. “How might it affect our national security or economy? Does it threaten the life or liberties of American people?”
The directive has been in the works for at least two years, but it reflects the experience of almost eight years of dealing with increasingly complex and challenging cyber-incidents. The last four have been particularly trying.
Last year, officials discovered that the Chinese had breached computers at the Office of Personnel Management, exposing the data of 22 million current and former federal employees and their families. The year before that, North Korean hackers disrupted the network of Sony Pictures Entertainment, deleting files and disabling computers, uploading unreleased films to the Internet and leaking embarrassing emails. It was all an apparent effort to dissuade the studio from releasing a satirical film depicting the assassination of the country’s supreme leader, Kim Jong Un.
These two incidents certainly would be considered significant, though OPM “moved up the scale” when, as a result of the breach, it became difficult to process employees’ security clearances, said a senior administration official, who spoke on the condition of anonymity.
The White House has come up with a severity scheme ranging from Level Zero for an inconsequential event to Level 5 for an emergency — or an attack that poses an “imminent threat” to critical systems such as the power grid, federal government stability or people’s lives. Level 2 is reserved for an incident that may affect public safety or national security. Level 3 moves into the realm of significant, for high-severity events that are likely to have a “demonstrable” impact on public safety or national security.
There has been no known incident that would be considered a Level 5, senior officials said. The suspected Russian cyberattack on Ukraine’s electric grid in December that caused widespread power outages probably would have been a Level 4 — a “severe” event that likely would result in “significant” harm to public safety or national security — if it had happened in the United States, the official said.
An example of an incident that was high-profile but probably would not have risen to significant was the 2013 breach of Target, which affected the debit and credit card data of 40 million customers, officials said.
“If you’re the Target CEO, that was probably very high on your scale,” the senior official said. “But from a national security perspective, we did not need to spin up a huge amount of government machinery to handle that incident.”
The directive does not discuss how the government should respond to a significant event — whether it should impose sanctions, pursue indictments or even just publicly blame another country, for instance. Each case is fact-specific and responses depend on a range of factors, including geopolitics. But having the scheme helps officials “calibrate” whether they are giving an incident due attention, the official said.
For businesses, government agencies and other governments that are often unsure of whom to call in a cyber-incident, the White House also has simplified the organization chart. The FBI is the lead federal agency for investigating criminal and national security hacks. The Department of Homeland Security has the baton in helping breached organizations reduce the impact of an event and prevent its spread. The Cyber Threat Intelligence Integration Center, or CTIIC, pools intelligence to help identify who directed an intrusion or attack.
The Defense Department is not mentioned in the presidential policy directive because it does not play a primary role in domestic cybersecurity.