The NSC memo in some cases gives US security and intelligence agencies just 24 hours after they learn of serious hacks to deliver initial assessments to senior White House officials on the severity of the situations.
The goal is to more quickly determine whether a ransomware attack, for example, might affect multiple sectors of the economy — and if the government may need to mobilize backup supplies of commodities, as it prepared to do after a ransomware attack on a US pipeline operator in May.
While the policy would apply to significant hacks of US critical infrastructure from any part of the world, it could inform US assessments of whether the Russian government’s tolerance of cybercriminals crosses a red line with the White House, a US official familiar with the policy told CNN.
A second US official familiar with the policy emphasized that it was not developed with a specific incident or foreign government in mind. The overarching consideration of the assessment, that official said, is: “Is this something that the national security adviser needs to call the president about?”
Biden “made it clear to the Russians that if (their nationals) attack critical infrastructure, that’s not allowed and that’s a red line,” the first US official said. The question for the White House then became, “How do we quickly determine if they’ve crossed a red line?” the official said.
“It was clear that we had to do a better job of assessing impacts” of major cyber incidents, the official added.
It’s not a new thing for NSC officials to assess the impacts of hacking incidents, but there is now greater urgency to do so following a series of ransomware attacks this year on critical US firms.
Assessing motivation and severity
The new NSC memo tasks analysts at the FBI, the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence with considering whether the perpetrators of a hack are motivated by financial gain or sabotage. The analysis could prompt a high-level, interagency working group to convene at the NSC for hacks that can take weeks or months to recover from, according to the memo.
The analysis is only a first look at the implications of a hack and could change as the fallout from an incident evolves.
The NSC leadership also wants the FBI and other agencies to use a color-coded system that was introduced during the Obama administration to rate the severity of a cyberattack.
The system runs from “Green,” a low-impact hack that is unlikely to affect national security or public safety, to “Black,” an “emergency” incident that poses an imminent threat to American lives, the stability of the federal government or the “provision of wide-scale critical infrastructure services.”
Jeanette Manfra, who helped devise the color-coded system as a senior NSC official in 2014 and 2015, welcomed the new focus on speeding up government assessments of the potential consequences of cyberattacks.
“These enhancements will be critical to ensure that the right capabilities are prioritized to respond to incidents with the potential for the most severe and widespread impact,” Manfra, who is now senior director of risk and compliance at Google Cloud, told CNN.
It’s not the first time that a White House has looked to reshape how the US bureaucracy responds to a major hack.
The White House set up the Cyber Threat Intelligence Integration Center, staffed by FBI, intelligence and homeland security officials, three months later.