CAPITOL HILL: If your company or city comes under a cyber attack, who ya gonna call? Well, please hold, because the federal government is still working that out in wargames and planning sessions, top officials said on the eve of the 18th anniversary of 9/11.
The Pentagon, intelligence agencies, FBI, and the Department of Homeland Security have a well-honed model for how to work together to defend elections, as they proved in 2018, said Jeanette Manfra, assistant director for cybersecurity at the Homeland Security Department’s nine-month-old Cybersecurity and Infrastructure Security Agency (CISA). But for other kinds of cyber attacks — whether on the 1s and 0s that flow through cyberspace, or the physical infrastructure of cables and exchange hubs they move through — there isn’t the same level of clarity.
“If I’m under ransomware attack, who am I supposed to call? Is that the same level as a disaster like a hurricane? That’s the part we’re working on,” Manfra told reporters after testifying yesterday to a rare joint session of House Armed Services Committee and the Oversight & Reform Committee. “We have the framing, and now we’ve just got to get the details.”
The military, civilian agencies, and private companies have had decades to refine their responses to natural disasters. There’s an elaborate nationwide web of mutual aid agreements detailing how utilities, localities, states, and federal agencies can help each other. Even post-9/11 plans for a major terrorist attack have had 18 years to thrash out details. But cyberspace is a new and rapidly shifting landscape where no one has anywhere near as much hands-on experience.
Yes, there’s a National Cyber Incident Response Plan and an Obama-era Presidential Policy Directive, PPD-41, that purports to lay out agency responsibilities. The FBI leads on prevention and investigation, for example; DHS leads disaster response and mitigation; the Intelligence Community shares info on the threat; the military provides technical support and logistical muscle; and so on. But there isn’t nearly the level of nitty-gritty detail for cyber as there is for natural disasters.
“We’re still working with DoD [the Department of Defense], taking those high-level documents and refining them into what does that … then mean for the agencies, operationally,” Manfra said.
“If it’s a hurricane, [at the Defense Department], they’ve got the mission assignments. They know, ‘OK, we’ve got to send people to fill sandbags,'” she explained. For cyber responses, she said, “that part is not mature enough.”
The Pentagon’s Limits
The Department of Defense is working closely with Homeland Security and the FBI to work this out, agreed Ed Wilson, deputy assistant secretary of defense for cyber policy. DoD and DHS signed a major agreement last year expanding their cooperation and clarifying their roles.
(Ostensibly, all this interagency coordination is supposed to be orchestrated by the National Security Council. In practice, the NSC is increasing dysfunctional. Manfra declined to comment on the ouster of President Trump’s latest National Security Advisor, John Bolton, or whether the NSC should restore the cybersecurity position that Bolton abolished).
Even within the Department of Defense, there’s some ambiguity about who does what. If there’s a physical attack on the homeland, US Northern Command would lead the response, with other commands in a supporting role, Wilson told the committees. If it’s purely a cyber attack, Wilson went on, “there’s a decision to be made, [but] in most cases we’d look to Cyber Command to be the lead.”
“Just a few years ago that was a bit cloudy,” Wilson said. “We’ve exercised that on many occasions, and that is maturing.”
What if there’s a physical attack on cyber infrastructure? An adversary might cut undersea data cables, blow up the landing stations where they converge as they come ashore, or set fire to the Internet Exchange Points (IXPs) where different providers physically plug their networks together to exchange data. That was actually the official topic of yesterday’s hearing, co-chaired by Rep. Jim Langevin and Rep. Steve Lynch, but I didn’t hear a definitive answer in 90 minutes of testimony.
Indeed, as Wilson described it, the Pentagon’s wargaming so far has focused on how to keep its own communications networks running in event of a cyber attack, with less emphasis on how to protect the nation as a whole. Preventing an attack from paralyzing the military is logically a top priority, but legislators were worried about what happens to their constituents at home.
When it comes to the home front, both Wilson and Manfra repeatedly emphasized is that the vast majority of network infrastructure — including systems the military relies on — is owned and operated by the private sector. It’s internet service providers, telecommunications utilities, and other companies that would be both the first target of an attack on critical infrastructure and the first responders trying to fix it.
“The US government has a limited and specific role to play,” Wilson said.
Neither Defense nor Homeland Security has “jurisdiction” over undersea cables or internet exchange points on land, Manfra told the committees. Instead, they are collaborating with each other, other agencies like the FBI, and above all the private sector to make the infrastructure more resilient to attack. That requires having both backup systems for when the primaries go down and response plans to restore what’s been broken.
“DoD’s not the only one that’s got assets that can support [us],” Manfra told reporters. “The private sector’s also got great assets, so we’re working to ensure we have a vehicle in place [to access] all the tools, whether that’s private sector or DoD.”
“Industry has really led,” Manfra told the committees. “We’ve identified some really good best practices.” Telecommunications companies in particular have honed their responses over repeated hurricanes, she said. That includes setting up mutual aid agreements to cooperate in restoring service when the infrastructure is physically wiped out and no one company can repair it fast enough. This kind of collaborative planning is now spreading beyond the telecom sector, Manfra said, which DHS is enthusiastically encouraging.
The military may have a strict chain of command on the battlefield. But on the homefront, defense is less about commanding than cajoling.