Presidential Policy Directive 41: United States Cyber Incident Coordination—What Is the Role of the Department of Defense?

On July 26, 2016, President Obama signed Presidential Policy Directive 41, United States Cyber Incident Coordination, "setting forth principles governing the Federal Government's response to any cyber incident, whether involving government or private sector entities." Issued following high-profile attacks such as the Office of Personnel Management (OPM) breach in 2015 and the recent breach of the Democratic National Committee's (DNC's) email system, the directive addresses a number of cyber-related issues, including defining various types of cyber incidents as well as departmental roles and responsibilities in responding to such events. The directive defines a cyber incident as an event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon. A significant cyber incident is one that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. Five operating principles are articulated in the response plan:

  • shared responsibility among individuals, government, and the private sector in protecting networks from attack,
  • risk-based response,
  • respecting affected entities,
  • unity of effort, and
  • enabling rapid restoration and recovery.
  • The directive also proscribes a five-level cyber incident severity schema for assessing the severity of cyberattacks, similar to the Department of Homeland Security's color-coded national terrorism advisory system. 

This directive offers details supporting previously enunciated goals contained in the Comprehensive National Cybersecurity Initiative (CNCI), which sought "an organized and unified response to future cyber incidents." The CNCI was published in January 2008, with the objective of "establish(ing) a multi-pronged approach the federal government is to take in identifying current and emerging cyber threats, shoring up current and future telecommunications and cyber vulnerabilities, and responding to or proactively addressing entities that wish to steal or manipulate protected data on secure federal systems." Agencies often designate information as classified or law enforcement sensitive, due to the complex and often uncertain nature of a cyber incident, which often entails collecting data about the attackers, their motivations, and the applicable U.S. response.

Some security observers suggest that this directive may assist in clarifying prior concerns regarding a lack of transparency by victims or prospective targeted entities regarding the activities various agencies have undertaken in response to a cyber incident. Others suggest that persistent questions remain regarding "the adequacy of existing legal authorities—statutory or constitutional—for responding to cyber threats and the appropriate roles for the executive and legislative branches in addressing cybersecurity."

The directive lists three federal agencies as leads for various levels of coordination. The Department of Justice (DOJ), acting through the FBI and the National Cyber Investigative Joint Task Force, is named the lead federal agency for threat response coordination, particularly where the incident in question may involve one or more nation states as the perpetrator. The Department of Homeland Security (DHS), through the National Cybersecurity and Communications Integration Center, is the lead for asset response activities, helping other agencies and companies recover from attacks on their networks. The Office of the Director of National Intelligence is the lead for intelligence support and related activities. According to the directive, DHS and DOJ must establish a concept of operations for the rapid response Cyber Unified Coordination Group as the primary method for coordinating between and among federal agencies in response to a significant cyber incident.

Critics contend that the question of who is in charge in the event of an attack is not sufficiently answered by the new directive, and that missing from the coordination plan is a clear focal point within the government for the private sector to call upon in the event of a major incident. Others question whether the entities named by the directive correlate to the nature of the threat. For example, some posit that as a diplomatic institution, the State Department is more appropriate than the Department of Justice for working with nation-state actors.

In addition, mention of the Department of Defense (DOD) is noticeably absent from the document. A specific area of ongoing congressional interest is the role of the DOD in planning for and responding to a cyber incident. The U.S. Cyber Command and National Security Agency are DOD assets that are well-positioned to respond to a cyber event of national significance. Not only is DOD charged with defending the nation from threats, the 2015 Department of Defense Cyber Strategy affirms that the department must work with its interagency partners, the private sector, and allied and partner nations to deter and, if necessary, defeat a cyberattack of significant consequence on the U.S. homeland and U.S. interests. By invoking the military, the presidential policy directive could have deterrence value by alerting foreign nations to what consequences may arise should a cyber incident be linked to their territory. Previous statements from government officials declared that the United States will treat a significant cyberattack in the same manner as an attack on the land, sea, air or in space. For example, the Administration's May 2011 International Strategy for Cyberspace pledged that the United States "will respond to hostile acts in cyberspace as we would to any other threat" and that "we reserve the right to use all necessary means." If the PDD were to suggest that a significant cyberattack on U.S. networks (meaning one that has national security implications) may trigger a military response, this could serve as a similar declaratory policy. Such an assertion could raise the stakes for countries that engage in malicious cyber activity. In contrast, placing the DOJ as the lead seems to be in keeping with the Administration's view that cyber incidents should be viewed as a criminal matter, leading to indictments of foreign nationals as individuals.