What does the latest U.S. federal ruling on cybersecurity mean for you? The recent executive order and U.S. Cybersecurity & Infrastructure Security Agency (CISA) commentary on it could provide a good framework for defending against ransomware and other attacks.
In its executive order on ‘Improving the Nation’s Cybersecurity,’ the White House directed the Secretary of the Department of Homeland Security (DHS) to “develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting Federal Civilian Executive Branch (FCEB) Information Systems.”
Now, the CISA has fulfilled its mandate by publishing the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Those resources provide recommendations for how FCEB agencies can respond to incidents and remediate security incidents involving vulnerabilities.
Unpacking the CISA Playbooks
To better understand these playbooks, I sat down with Gregory Touhill, ISACA board chair and director of the CERT Division of Carnegie Mellon University’s Software Engineering Institute. Touhill was also the U.S. government’s first chief information security officer (CISO), as appointed by former President Barack Obama. Here’s what he had to tell me.
David Bisson: What is the significance of CISA releasing its recent incident and vulnerability response playbooks?
Gregory Touhill: Previously in my career, I worked with organizations to build out cyber incident playbooks for critical infrastructure partners. I recall working with the financial services sector to identify best practices and tactics, techniques and procedures to build out incident response playbooks. But at that time, everyone was doing their own thing across the federal government, and DHS didn’t have the authority to standardize incident response and event management.
It’s a different story with CISA. This organization has the authority to take all the lessons from previous and current administrations to identify best practices in incident response and vulnerability management. The significance here is that CISA can standardize those guidelines as well as make sure every department and agency is following them. This helps to ensure there’s a common framework to have a more effective incident response and attack assessments if and when a bad day happens across the .gov domain. Similarly, it puts CISA in a position where it can take those playbooks and share them with critical infrastructure players.
Let me be clear. Without standardization, the federal government faces the risk of incomplete or ineffective response. There’s no unity of effort. There’s no proper communication of threats in a timely manner. And with that lack of communication, there’s the potential that a great solution set from one part of government doesn’t get communicated to another part. Such a gap can expand the federal government’s risk exposure, as attackers might try to target other agencies and departments. To prevent this from happening, we want to make sure we have common actions so that we can maximize precious resources and put them where they need to be at a time when they’re needed.
DB: What stands out to you from the playbooks?
GT: CISA’s playbooks embody a great and well-anticipated evolution of some of the efforts we’ve been doing for many years. It builds on work that’s already been done. It also builds on authorities that have come before, ensuring that we have a much more disciplined approach to cybersecurity going forward.
These standardized best practices come on the heels of CISA having announced the Joint Cyber Defense Collaborative public-private partnership initiative. When viewed with this initiative, it’s clear that CISA’s playbooks will be cross-fed with critical infrastructure partners along with different sector-specific agencies. They will be a great source of collaborative best practices to enhance cooperation with private industry organizations.
How Is This Relevant to Business?
DB: What part of CISA’s playbooks do organizations tend to struggle with most?
GT: Most of the time, organizations struggle to exercise their incident response and vulnerability management plans. An organization can have the best playbook out there, but if it doesn’t exercise it on a regular basis, well, ‘If you don’t use it, you lose it’. It needs to make sure that its playbooks have the proper scope so that everyone from executives to everyone else within the organization knows what they need to know…
When I say ‘exercise’, it’s important that organizations test their plans under realistic conditions. I’m not saying they need to unplug a device or bring in simulated bad code. They just need to make sure everyone tasked in the playbook knows what’s going on, understands what their roles are and periodically tests the plans. They can take the lessons they’ve learned and refine them. Incident response exercises don’t end with victory. They end with lessons for the future.
Ultimately, documents that sit on a shelf rarely get read. To be high-performing, industry, government and critical infrastructure organizations need to continue to test their technology, processes and people. They also need to understand their priorities and check multiple contingencies in an iterative way. For instance, after having run an exercise with IT, they can choose to run through the same (or similar) plan with operational technology to build their preparedness against attacks targeting their industrial control systems.
What the Playbook Doesn’t Cover
DB: Anything that you wish was included but didn’t make it into the playbooks?
GT: Three things. First, I would have liked to have seen CISA put some requirements in about the frequency of the exercises. CISA could have set a specific number of times that organizations must exercise their plans each year, for example.
Second, I would have liked to have seen some more clarity about the identification of best practices. Someone might figure out a new way for attack warning and assessment. But how does what they come up with get boosted up the chain of command? We need to have a good model for encouraging people to identify best practices as well as a workable model for evaluating those recommendations. We also need to have a mechanism in place so that best practices can be incorporated and quickly disseminated to playbook owners.
Finally, I would have liked to have seen some sort of governance model. Who will be reviewing these playbooks on a regular basis for content improvements? It shouldn’t just be CISA. It can be done through the auspices of bodies like the Federal CISO Council. This will bring more maturity on governance and oversight to the playbooks overall.
DB: Any other thoughts you have on the playbooks?
GT: Organizations need to be proactive. They can’t wait for a bad day to occur.