Above My Pay Grade: Incident Response at the National Level Jason - - PowerPoint PPT Presentation

above my pay grade
SMART_READER_LITE
LIVE PREVIEW

Above My Pay Grade: Incident Response at the National Level Jason - - PowerPoint PPT Presentation

Sep 15, 2023 266 likes •546 views

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council Traditional Incident Response But at the national level, incident response is a different game Implications for Misunderstandings between geeks and

slide-1
SLIDE 1

Above My Pay Grade:

Incident Response at the National Level Jason Healey

Atlantic Council

slide-2
SLIDE 2

Traditional Incident Response

slide-3
SLIDE 3

But at the national level, incident response is a different game

Implications for

  • Misunderstandings between geeks and wonks
  • Attribution
  • Decision making
  • Large-scale response (or miscalculations about response)
slide-4
SLIDE 4

EXAMPLE:

LARGE SCALE ATTACK ON FINANCE

slide-5
SLIDE 5

Large-scale Attack on Finance Sector

Who Is Their First External Call To?

Bank A Bank B Exchange Clearing House

slide-6
SLIDE 6

First: Call a Law Firm!

slide-7
SLIDE 7

Then Mandiant or CrowdStrike!

slide-8
SLIDE 8

After That: Tell the Cops…

Bank A Bank B Exchange Clearing House USSS FBI

slide-9
SLIDE 9

Then Share within the Sector

Bank A Bank B Exchange Clearing House FS/ISAC

  • Operational sharing and crisis

management

  • Shared with all financial institutions
  • Sector-wide incident response via

audioconfernce ‘bridge’ line

  • Typically heard:
  • “What’s the vulnerability?”
  • “Is there a patch?”
  • What IP addresses?
  • “What works to mitigate?
slide-10
SLIDE 10

When More than Tech Discussions Are Needed…

Bank A Bank B Exchange Clearing House FS/ISAC FSSCC FBIIC Other ISACs

Water, Energy, Telecom…

Policy-Level Incident Response

  • Senior company and government

executives across all sector and regulators

  • Management response via audio

bridge

  • Typically heard:
  • “How healthy is the sector?”
  • “What do we do if it gets

worse?”

  • “Can markets open as normal

tomorrow?”

slide-11
SLIDE 11

If Markets are Melting…

Bank A Bank B Exchange Clearing House FS/ISAC FSSCC FBIIC Other ISACs

Water, Energy, Telecom…

Treasury

Within Treasury

  • Escalate to the senior leadership,

especially political appointees

slide-12
SLIDE 12

If Markets are Melting…

Bank A Bank B Exchange Clearing House FS/ISAC FSSCC FBIIC Other ISACs

Water, Energy, Telecom…

Treasury

President’s Working Group

  • n Financial

Markets

Highest Level of Financial Decision-making

  • No different than any other

financial crisis!

  • Secretary, Chairs of FRB, SEC,

CFTC

slide-13
SLIDE 13

The Cyber Response…

Bank A Bank B Exchange Clearing House FS/ISAC FSSCC FBIIC Other ISACs

Water, Energy, Telecom…

Treasury

President’s Working Group

  • n Financial

Markets

Department of Homeland Security

  • But what does that actually mean?
  • And what then?

DHS

slide-14
SLIDE 14

The Cyber Response…

Bank A Bank B Exchange Clearing House FS/ISAC FSSCC FBIIC Other ISACs

Water, Energy, Telecom…

Treasury

President’s Working Group

  • n Financial

Markets

DHS

National Cybersecurity and Communications Integration Center

  • 24/7 operations floor
  • Includes US-CERT, ICS-CERT, NCC

DHS CIA Justice USSS FBI DoD NSA State Others NCICC

Operations Watch & Warning Planning Assist & Assess Analysis Liaison

FS-ISAC Treasury

State & Local

slide-15
SLIDE 15

If Incident Needs Escalation

Bank A Bank B Exchange Clearing House FS/ISAC Other ISACs

Water, Energy, Telecom…

DHS

NCCIC

NTOC USCC

Cyber Unified Coordination Group

Cyber UCG IMT

Operational Response

A “Significant Cyber Incident … requires increased national coordination” as it affects

  • National security
  • Public health and public safety
  • National economy, including any of the individual

sectors that may affect the national economy or

  • Public confidence

Telcos

slide-16
SLIDE 16

Who Coordinates Above DHS?

slide-17
SLIDE 17

Who Coordinates Above DHS?

slide-18
SLIDE 18

Who Coordinates Above DHS?

slide-19
SLIDE 19

If Incident Needs Escalation

Bank A Bank B Exchange Clearing House FS/ISAC Other ISACs

Water, Energy, Telecom…

DHS

NCCIC

ICI-IPC Cyber Directorate National Security Council DoD State NSA CIA DHS FBI Others

“The Interagency”

Operational Response

Cyber Response Group

Policy Response

slide-20
SLIDE 20

If Incident Needs Escalation

Bank A Bank B Exchange Clearing House FS/ISAC Other ISACs

Water, Energy, Telecom…

DHS

NCCIC

Cyber Directorate National Security Council DoD State NSA CIA DHS FBI Others

“The Interagency”

Operational Response

Deputies Committee ICI-IPC

Cyber Response Group

Policy Response

slide-21
SLIDE 21

If Incident Needs Escalation

Bank A Bank B Exchange Clearing House FS/ISAC Other ISACs

Water, Energy, Telecom…

DHS

NCCIC

Cyber Directorate

Policy Response

DoD State NSA CIA DHS FBI Others

“The Interagency”

Operational Response

Deputies Committee Principals Committee President of the United States ICI-IPC

Cyber Response Group

slide-22
SLIDE 22
  • Since

– Worst-impact cyber conflicts generally caused by nations, not individuals and – Cyber conflicts tend not to be “network speed”

  • Process translates “cyber crisis” out of technical

channels

  • Into the time-tested traditional national security

crisis management

  • Countries with NSC equivalents have natural edge to

those without … like China

Why This Works

slide-23
SLIDE 23
  • Enables national-level technical response options
  • Commitment of additional resources to help

private sector response

– Money, personnel, intelligence

  • Determine “what nation is responsible?”
  • Enables response using levers of national power:

– Diplomatic, economic and yes, military

Why This is a Good Thing:

Provides Process for Tough Decisions

slide-24
SLIDE 24
  • It doesn’t always work even for physical crises!
  • When government wants to control the

response

  • The “Katrina” of something on the edges of

the system

  • The “Six-Day War”
  • True Cyber War

Why the Process Might Not Work or Otherwise Suck:

slide-25
SLIDE 25

Why the Process Might Not Work:

If We Are At Cyberwar!

Bank A Bank B Exchange Clearing House FS/ISAC FSSCC FBIIC Treasury

President’s Working Group

  • n Financial

Markets

DHS

NCCIC Principals Committee Deputies Committee Cyber Directorate NTOC President

Financial Response

Cyber Command

Operational Response

Military Response

UCG FEMA

Regional COCOM

SECDEF, CJCS

Governors Policy Response

Director FBI ICI-IPC

Cyber Response Group

slide-26
SLIDE 26

Why the Process Might Not Work:

If We Get Stupid…

Bank A Bank B Exchange Clearing House FS/ISAC FSSCC FBIIC Treasury

President’s Working Group

  • n Financial

Markets

DHS

NCCIC Principals Committee Deputies Committee Cyber Directorate NTOC President

Financial Response

Cyber Command

Operational Response

Military Response

UCG FEMA

Regional COCOM

SECDEF, CJCS

Governors Policy Response

Director FBI ICI-IPC

Cyber Response Group

Inside the Beltway, they forget the real response, the real battle isn’t in DC but at the banks under attack and in the private- sector networks

slide-27
SLIDE 27

QUESTIONS?

jhealey@acus.org Twitter: @Jason_Healey

Cyber Statecraft Initiative

  • International conflict, competition

and cooperation in cyberspace

  • Publications (all at our website,

acus.org)

  • Public and Private Events