U.S. Rep. Jim Langevin (D-RI) applauded President Barack Obama this week for signing Presidential Policy Directive (PPD) 41, entitled “United States Cyber Incident Coordination.”
The directive complements the Cybersecurity National Action Plan, which was introduced earlier this year to build on the lessons learned from cybersecurity incidents.
“I commend President Obama for his continued leadership in signing this policy directive,” Langevin said. “I have long called for more centralization of cybersecurity efforts within government, and the cyber incident coordination plan is another important step in moving away from ad hoc processes that are inadequate to deal with the threats we face.
“Because no computer system can ever be perfectly secure, we must focus on developing cyber deterrence, and incident response is an essential component of the triad of deterrence types: deterrence by resilience. Building resilient systems that recover quickly from breaches minimizes damage that can be caused by malicious cyber actors and therefore discourages them from acting in the first place. A healthy incident response framework, like that outlined in the PPD, also reduces the disruption to a victim organization – whether a small business, a critical infrastructure provider, or a government agency.”
Langevin added that the directive relies on principles, including risk-based response, shared responsibility and respect for victims, that should underlie any cybersecurity management plan.
“In particular, providing single points of authority for the different incident response lines of effort is essential to avoiding confusion, allowing for swift action in a crisis, and providing accountability,” Langevin said. “In order to provide the best possible ‘customer service’ in dealing with the federal government, the PPD does not rely on victim organizations knowing whom in government to contact. This is a worthy goal, but it will require careful implementation to ensure that every agency knows how to report cybersecurity incidents that are brought to its attention; similarly, bringing in state, local, territorial, and tribal partners is a vital next step. The PPD also highlights the immediate need to pass legislation creating a cybersecurity and infrastructure protection agency encompassing the existing National Cybersecurity and Communications Integration Center, a central operational element of government response.
“The administration’s efforts to institutionalize cybersecurity policies before the transition is to be commended; however, it is insufficient. Congress must ensure that appropriate resources are allocated to cybersecurity, from workforce development to retiring legacy systems, and ensure that the law keeps pace with the rapidly changing technology landscape. As evidenced by weekly headlines highlighting the latest hack, cybersecurity is the security challenge of the Information Age, and lawmakers need to devote a commensurate amount of attention and thought to the issue.”