George W. Bush's Homeland Security Advisory System—the color-coded terrorism "threat level" indicator that became a symbol of post-9/11 fear mongering—is getting its spiritual successor for hacking: the "Cyber Incident Severity Schema."
President Obama announced a new policy directive Tuesday that will codify how the federal government will respond to hacking incidents against both the government and private American companies.
The announcement is particularly timely as people ask whether the US government should respond to the hack of the Democratic National Committee, which is believed to have been perpetrated by the Russian government.
The Cyber Incident Severity Schema ranges from white (an "unsubstantiated or inconsequential event") to black (a hack that "poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons"), with green, yellow, orange, and red falling in between. Any hack or threat of a hack rated at orange or above is a "significant cyber incident" that will trigger what the Obama administration is calling a "coordinated" response from government agencies.
As you might expect, there are many unanswered questions here, and the federal government has announced so many cyber programs in the last few years that it's hard to know which, if any of them, will actually make the US government or its companies any safer from hackers.
This year alone, the White House has sent journalists more than 80 emails, announcements, and fact sheets containing the word "cyber." This coordination policy directive has grown out of February's Cybersecurity National Action Plan, which grew out of the Cybersecurity Act of 2015, a hugely flawed and unpopular law (formerly known as CISPA) that was snuck through Congress as a rider to the budget bill.
The new policy will require that the government do "threat response," which will focus on identifying and prosecuting the hackers, "asset response," which will focus on securing whatever systems were affected, and "intelligence support," which will focus on creating profiles of known hackers and on developing "the ability to degrade or mitigate adversary threat capabilities."
But the policy is notably short on specifics: For one, it doesn't define when or if a hack can ever be considered an act of war, which is a question that comes up anytime a state actor is suspected of hacking an American asset. Is a "significant" cyber incident an act of war? It's a question that was asked after North Korea was suspected of hacking Sony Pictures, and we're hearing it as Russia looks to be the culprit behind hacking the Democratic National Committee. So far, the White House has been reluctant to answer the question, perhaps fearing that declaring a hack an "act of war" would thus require a war-like response against powerful nation states like Russia and China.
Obama's policy notes that "when a cyber incident affects a private entity, the Federal Government typically will not play a role in this line of effort, but it will remain cognizant of the affected entity's response activities, consistent with the principles above and in coordination with the affected entity."
So what we're left with, for now, is a color-coded system that already seems unable to classify or respond to hacks we've already seen. The DNC isn't a government entity, but the hack and subsequent release of its internal goings ons by a foreign country certainly undermines US sovereignty and the democratic process; will the White House demand a "coordinated response?" "Russia is tampering with the underlying structure of our democracy" doesn't neatly fit into any one color-coded category of the schema, but then again, the terror threat level system didn't make much sense, either.
The Hacks We Can't See is Motherboard's theme week dedicated to the future of security and the hacks no one's talking about. Follow along here.