The White House has released a detailed Presidential Policy Directive on what qualifies a “significant” breach and what officials should be doing to help mitigate damage. For the first time, there is a categorical system defined by White House and government officials for victims of cyber-attacks.
The rise in cyber-crimes has remained a critical threat to the health of some the world’s largest and most impactful companies, as well posing a fatal threat to thousands of SMBs. In an effort to create a unified response for crimes against companies both large and small, the White House has adopted a comprehensive framework used to determine the severity and urgency of an attack, as well as the investments and seniority levels necessary to respond to the threat.
Cyber-crimes are to be assessed on a scale of six levels and are categorized based primarily on the potential impact to public health, safety, civil liberties, foreign relations and economic security.
The system starts with a baseline “Level Zero”, defined as an unsubstantiated or inconsequential event, and is capped at a “Level Five” Emergency — an attack that poses an imminent threat to public and national safety. According to the Washington Post, there has never been a Level Five attack based on a national security standard. Lisa Monaco, President Obama’s adviser for Homeland Security, said that the 2013 Target data breach may have seemed like a Level Five, but did not constitute according to the new standards. “If you’re the Target CEO, that was probably very high on your scale,” she said. “But from a national security perspective, we did not need to spin up a huge amount of government machinery to handle that incident.”
Most recently, tens of thousands of emails, voicemails, social security numbers and private data connected to the Democratic National Convention were released and shared on the anti-privacy network WikiLeaks. The leak has not yet been categorized by the directive, but will prove to be an important example to set for the directive’s future.
The directive does not yet have a systemic plan for handling the aftermath but will be able to manage and sort through breaches with more efficiency.