Presidential Policy Directive 41 does not require cyber incidents to be malicious or affect safety

Aug. 1, 2016

Cyber incidents can be malicious or unintentional and still cause significant impacts and deaths. The lack of requiring a cyber incident to be malicious may have significant implications to cyber insurance policies particularly in being able to identify what is or isn’t a control system cyber incident.

Presidential Policy Directive/PPD-41 (United States Cyber Incident Coordination) was issued July 26, 2016. It states that while the vast majority of cyber incidents can be handled through existing policies, certain cyber incidents that have significant impacts on an entity, our national security, or the broader economy require a unique approach to response efforts. These significant cyber incidents demand unity of effort within the Federal Government and especially close coordination between the public and private sectors. PPD41 defines a cyber incident as an event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon. For purposes of this directive, a cyber incident may include a vulnerability in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. It defines a Significant cyber incident as a cyber incident that is (or group of related cyber incidents that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.

The PPD41 definitions are based on the traditional NIST CIA (Confidentiality, Integrity, Availability) triad - where S (safety) is not considered and the term “malicious” is not used. Some of the most significant cyber incidents that resulted in multiple deaths or major region-wide power outages were not malicious. Moreover, since there are minimal control system cyber forensics and often the only difference may be motivation, it may not be possible to distinguish an unintentional cyber incident from a malicious cyber attack. The 2008 Florida outage affected 26 transmission lines and 38 substations and left almost 3 million people without power for about 8 hours yet the only difference between this incident being malicious or unintentional was the motivation of the person involved (the impact is similar to the 2015 Ukrainian hack). In the case of the 2008 Florida outage, the threat source was the SCADA operator taking actions based on incomplete information. Moreover, control system cyber incidents can, and have, resulted in injuries and deaths – more than 1,000 deaths to date.

Cyber incidents can be malicious or unintentional and still cause significant impacts and deaths. The lack of requiring a cyber incident to be malicious may have significant implications to cyber insurance policies particularly in being able to identify what is or isn’t a control system cyber incident.

Joe Weiss