New policy gives some federal agencies 24 hours to assess major cyberattacks: report

A new policy recently rolled out by the White House gives certain federal agencies as little as 24 hours to assess the impact of a cyberattack and report the attack if it rises to a major level of concern. 

CNN, which obtained a copy of the memo issued by the White House National Security Council (NSC), reported the policy applies to national security and intelligence agencies, including the FBI, and gives some of the agencies only 24 hours to report a cyberattack they assess to be “a national security concern” to the White House. 

A U.S. official told The Hill on Friday the memo is “a process and a common methodology to help the USG speak with one voice — nothing more and nothing less. It gives the NSC the framework to make an initial assessment of whether a cyber incident rises to the level of a national security concern. In many incidents, that assessment will change with time.”

“Throughout the year, we have worked to refine and strengthen the federal government’s response to all cyber incidents in a more uniform, whole-of-government way,” the official said. “That continues to be our goal — we learn from every incident and refine our incident management approach to get faster and better each time.”

The policy comes after a difficult year of major ransomware attacks on companies including Colonial Pipeline and JBS USA, along with the SolarWinds hack, which allowed Russian government-linked hackers to compromise at least nine federal agencies for most of 2020. 

The administration has taken a series of steps designed to strengthen the nation’s cybersecurity since President Biden took office. These have included Biden signing a cybersecurity-focused executive order in May, levying sanctions on Russia in April in retaliation for the SolarWinds breach and convening the Counter Ransomware Initiative to bring together dozens of nations to tackle ransomware attacks. 

While the administration has taken steps against various nations in relation to cyber incidents, including Biden’s meeting with Russian President Vladimir Putin in June at which cybersecurity was a key topic, the U.S. official stressed to The Hill on Friday that the new policy was not focused on any specific country.

“Our process is not driven by one country or one incident, rather a commitment to have an efficient process that will protect the American people and our critical infrastructure,” the official said. 

The memo was also released as members of Congress on both sides of the aisle are working to pass legislation that could create some form of mandatory cyber incident reporting for critical infrastructure groups. Federal officials have repeatedly pushed for this policy, arguing the need for greater transparency into threats faced by the private sector. 

The U.S. official said Friday that the memo was part of the administration’s efforts to gain greater transparency into attacks aimed at the nation. 

“I would not attempt to characterize or predict what our response would be to any incident ahead of time — we do not, which is exactly why we created an orderly process to make these types of assessments,” the official said. “It’s exactly what the American people should expect of their government, that we will make informed, professional judgments about complex incidents. Then, informed by that assessment, we will take whatever steps are necessary to keep the nation secure.”