The White House on Tuesday issued the US government’s first emergency response manual for a major cyber-attack, though some officials acknowledged it lacked clear guidance on possible retaliation against hacker adversaries.
The Obama administration, which created a federal cyber chief position in February that has not yet been filled, published a “presidential policy directive” that includes a five-level grading system.
No hack attack so far has hit level five, a source familiar with the policy discussions said. That would be reserved for a threat to infrastructure, government stability or American lives.
A hack on the Democratic National Committee (DNC), which the FBI is investigating, would likely earn a lower grade, depending on any foreign government involvement or intent to meddle in the presidential election.
Cyber-security experts and US officials said on Monday there was evidence Russia engineered the release of sensitive DNC emails to influence the Nov. 8 election between Democrat Hillary Clinton and Republican Donald Trump.
The Kremlin dismissed the allegations that it was involved as absurd.
The presidential directive was years in the making and provides the first public guidance on specific roles for federal agencies in responding to a major breach that, for instance, could disrupt a large big bank or knock an urban power grid offline.
Cyber threats are “growing more persistent, more diverse, more frequent and more dangerous every day,” White House counter-terrorism adviser Lisa Monaco said at a cyber conference in New York on Tuesday.
She said the directive “will help answer a question heard too often from corporations and citizens alike – ‘In the wake of an attack, who do I call for help?'”
Officials within the administration of President Barack Obama, a Democrat, said the guidelines fall short of describing how Washington should hit back against significant attacks that do not kill anyone but cripple an electrical grid or the financial system.
Three current US national security officials, who spoke on condition of anonymity, said that so far the administration has not defined the point at which a cyber-attack justifies a military response.
“Is it worse than what a bomb could do, and if we decide it is, what’s the appropriate response?” one of the officials asked.
The directive defines a significant cyber incident as one likely to harm national security or economic interests, foreign relations, public confidence, health safety or civil liberties, according to a White House fact sheet.
Obama has focused on cyber-security in his second term, marked by hacks on government agencies and private companies that exposed personal information of millions of people.
Crafting clear rules for hitting back at a cyber adversary has been inhibited by how hard it is to definitively attribute an attack, officials said, and over concerns that a proportionate response could escalate into an all-out cyberwar.
“Those are not necessarily conversations we’re going to have in public,” a senior administration official said when asked about why the directive does not specify countermeasures.
The magnitude of any response will be determined by the severity assigned to an attack, the White House adviser Monaco said.
Obama signed an executive order in April 2015 that allows for the US to levy economic sanctions directly in response to cyber-attacks. That authority has never been used.
The new directive largely codifies existing practices and norms, rather than changing policy, said Ari Schwartz, a former top cyber-security adviser at the White House who is now with the law firm Venable.
The Department of Justice, working through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force, will be the lead agency for investigating criminal intrusions or those that could affect national security, according to the policy.
The Department of Homeland Security will serve as the lead contact in helping companies respond to breaches of their networks. Intelligence agencies will be in charge of gathering information in order to identify who is behind an attack.
Senators Chuck Grassley and Patrick Leahy, the Republican and Democratic leaders of the Senate Judiciary Committee, respectively, asked the Justice Department and the FBI for information on the DNC hacking probe.
The senators wrote in letters to the agencies that if foreign intelligence agencies were trying to undermine the electoral process, “the US government should treat such efforts even more seriously than standard espionage.”