On the heels of some high-profile data breaches, the Department of Justice has published a list of best practices to help organizations prepare for and deal with cyber attacks.
The DOJ’s Cybersecurity Unit issued the findings last month, taking “lessons learned” from federal prosecutors about cyber criminals’ tactics as well as information gleaned from companies that have dealt with cyber incidents. The list is primarily aimed at smaller organizations with limited resources, but the DOJ says larger organizations might benefit from its findings as well.
The report comes amid heightened scrutiny around cyber attacks in Washington. Last month, President Obama issued an executive order allowing the administration to sanction cyber criminals — and newly sworn-in U.S. Attorney General Loretta Lynch said that cyber crime would be a major focus of her office.
The report doesn’t have the same effect as binding regulation. But, it is likely that plaintiffs’ attorneys, the government, and law enforcement will seek to utilize these best practices as a general standard of care for handling cyber attacks. The new guidelines fall under three general areas — how to prepare for an attack or an intrusion, what to do while one is underway and what not to do afterward.
The recommendations for preparation include — data, assets, and services that require the most protection — preparing a plan before an intrusion, and ensuring authorization for necessary network monitoring, through such means as computer user agreements, workplace policies and personnel training. The report also recommends the National Institute of Standards and Technology (NIST) Cybersecurity Framework as “excellent guidance on risk management planning and policies [that] merits consideration.”
Additionally, the report says it’s a good idea to make sure an organization’s legal counsel is familiar with technology and cyber incident management before any problems arise. The report notes that many private organizations retain outside counsel with expertise in data breaches.
“Having ready access to advice from lawyers well acquainted with cyber incident response can speed an organization’s decision making and help ensure that a victim organization’s incident response activities remain on firm legal footing,” the report says.
During an intrusion, the report recommends that organizations assess the problem, take steps to minimize damage, record information about the attack and then notify the appropriate people — including management, law enforcement and other potential victims.
The report noted that affected organizations should not attempt retribution against hackers (i.e.,“hacking back”). Besides probably being illegal, doing so “can damage or impair another innocent victim’s system rather than the intruder’s,” the report says.
Lynch discussed the issue at a roundtable with industry on April 29, in which she stressed the need for the private sector to work with law enforcement.
“We have a mutual and compelling interest in developing comprehensive strategies for confronting this threat and it is imperative that our strategies evolve along with those of the hackers searching for new areas of weakness,” Lynch said, according to the Federal Times. “But we can only meet that challenge if law enforcement and private companies share the effort and work in cooperation with each other.”