The White House has enacted a new policy requiring the FBI and other agencies to help US officials quickly assess whether a cyberattack “rises to the level of a national security concern” that could hamper the provision of key services such as fuel or food, according to a National Security Council memo obtained by CNN and two US officials.
The NSC memo in some cases gives US security and intelligence agencies just 24 hours after they learn of serious hacks to deliver initial assessments to senior White House officials on the severity of the situations.
The goal is to more quickly determine whether a ransomware attack, for example, might affect multiple sectors of the economy – and if the government may need to mobilize backup supplies of commodities, as it prepared to do after a ransomware attack on a US pipeline operator in May.
While the policy would apply to significant hacks of US critical infrastructure from any part of the world, it could inform US assessments of whether the Russian government’s tolerance of cybercriminals crosses a red line with the White House, a US official familiar with the policy told CNN.
A second US official familiar with the policy emphasized that it was not developed with a specific incident or foreign government in mind. The overarching consideration of the assessment, that official said, is: “Is this something that the national security adviser needs to call the president about?”
The memo follows multiple disruptive hacks of US infrastructure this year by Russian-speaking cybercriminals, which prompted President Joe Biden in June to hand Russian President Vladimir Putin a list of 16 sectors, including energy and water, that should be off-limits to hacking.
Biden “made it clear to the Russians that if (their nationals) attack critical infrastructure, that’s not allowed and that’s a red line,” the first US official said. The question for the White House then became, “How do we quickly determine if they’ve crossed a red line?” the official said.
“It was clear that we had to do a better job of assessing impacts” of major cyber incidents, the official added.
NSC officials have practiced using the new policy to assess the severity of past hacks, such as the Colonial Pipeline disruption, the official said.
It’s not a new thing for NSC officials to assess the impacts of hacking incidents, but there is now greater urgency to do so following a series of ransomware attacks this year on critical US firms.
Assessing motivation and severity
The new NSC memo tasks analysts at the FBI, the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence with considering whether the perpetrators of a hack are motivated by financial gain or sabotage. The analysis could prompt a high-level, interagency working group to convene at the NSC for hacks that can take weeks or months to recover from, according to the memo.
The analysis is only a first look at the implications of a hack and could change as the fallout from an incident evolves.
“Kaseya looked very different on Day 1, 2 and 3 than it did on Day 10, 11, 12,” the second US official said, referring to a July ransomware attack on US software supplier Kaseya that ended up breaching up to 1,500 businesses around the world.
The NSC leadership also wants the FBI and other agencies to use a color-coded system that was introduced during the Obama administration to rate the severity of a cyberattack.
The system runs from “Green,” a low-impact hack that is unlikely to affect national security or public safety, to “Black,” an “emergency” incident that poses an imminent threat to American lives, the stability of the federal government or the “provision of wide-scale critical infrastructure services.”
Jeanette Manfra, who helped devise the color-coded system as a senior NSC official in 2014 and 2015, welcomed the new focus on speeding up government assessments of the potential consequences of cyberattacks.
“These enhancements will be critical to ensure that the right capabilities are prioritized to respond to incidents with the potential for the most severe and widespread impact,” Manfra, who is now senior director of risk and compliance at Google Cloud, told CNN.
It’s not the first time that a White House has looked to reshape how the US bureaucracy responds to a major hack.
After suspected North Korean hackers disrupted computer systems and stole unreleased movies from Sony Pictures Entertainment in November 2014, Obama administration officials complained that there was no federal clearinghouse for analyzing cyber intelligence and identifying the perpetrators of hacks.
The White House set up the Cyber Threat Intelligence Integration Center, staffed by FBI, intelligence and homeland security officials, three months later.