Security experts have long said, that sharing intelligence about cyberthreats is essential to the defense of information systems throughout all aspects of our society: business, government and community-based organizations. These systems are like the central nervous system for our economy and much of our society – except that we don’t have a centralized brain processing information from all those systems, to readily identify when trouble is present on any one system, and learn from different responses to figure out which damage-control techniques are the most effective. Cybersecurity experts have long understood the need to share cyberthreat information – recognizing that sharing threat information helps achieve a common good from which everyone benefits. Governments at all levels share a responsibility to protect the nation from cyberattacks and criminal activity, but because of the largely private ownership and operation of much of the country’s IT infrastructure and systems, the ultimate responsibility for assuring that cyberthreats don’t bring our economy to a standstill is a shared, public-private one.
Recognizing that information must be shared in order for one organization to spot a threat that was encountered by a different, but similar, organization, robust private and public entities have voluntarily formed organizations to share intelligence about cyberthreats. These are called Information Sharing and Analysis Centers (ISACs). ISACS typically form around “communities of interest” to collectively share information, which the ISAC’s experts analyze, thus enabling the respective communities to take proactive steps, in which to protect their information systems and other critical assets. ISACs have formed around financial services sector (the Financial Services ISAC), retailers (the Retail Cyber Intelligence Sharing Center), state governments (the Multi-State ISAC), the health care industry (the National Health Information Sharing and Analysis Center), and others.
But not all organizations have the financial or human resources to participate in ISACs. Therefore, in 2015, President Obama officially called for the Department of Homeland Security (DHS) to “strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs).” The vision is, that ISAOs will be more accessible to main street businesses and local governments, and share a variety of information, including best practices and threat information. Executive Order 13691 led to the establishment of an ISAO Standards Organization that is working to create a cybersecurity information sharing ecosystem – a “white hat network” built on trust.
But sharing can be tricky business. If an organization shares the fact that it has been successfully hacked, even if it has no data breach notification legal obligations, that information can have significant adverse impacts in terms of liability and market reaction. To create a framework for an information- sharing trust environment to flourish, in 2015, Congress passed the Cybersecurity Information Sharing Act (CISA). CISA establishes a legal structure through which private sector entities can share cyberthreat information without incurring liability for disclosing such information.
In the case of sharing cyberthreat information among private sector entities, CISA requires that any shared information be reviewed and scrubbed of any personally identifying information (PII) “not directly related to a threat” that the sharing entity knows about at the time it shares the information. In addition, any private sector industry seeking to avail itself of CISA’s liability protections must utilize security controls to protect against unauthorized access to or disclosure of the shared information. CISA also provides exemption from antitrust actions for companies sharing cyberthreat information in order to prevent, investigate, or mitigate cyberthreats.
In the case of sharing cyberthreat information with the federal government, CISA has slightly different rules and benefits. Importantly, CISA provides liability protection to a federally regulated private sector entity communicating with its federal regulatory authority with respect to a cybersecurity threat. Thus, a regulated telecommunications carrier communicating with the FCC about a cybersecurity threat, could do so and be protected from regulatory fines, but only if the reporter follows the correct reporting mechanisms and rules. Specifically, a private sector entity must follow procedures published by DHS. In June 2016, DHS and the Department of Justice issued guidance explaining the information sharing methods within DHS’s “capabilities and process” that qualify a private sector entity for liability protection under CISA that might otherwise arise out of the act of sharing data with the federal government. These methods are:
DHS Automated Information Sharing (AIS)
This is the principle mechanism for sharing cyberthreat information with DHS. AIS is the technical protocol for sharing cyberthreat information in a secure and automated manner. Once cyberthreat information is received, analyzed and sanitized, AIS shares the information with all AIS participants. AIS will not provide the identity of the submitting entity to other AIS participants unless the submitter consents to share its identity as the source of the cyberthreat information.
Sharing Through an ISAC or ISAO
Liability protection extends to private entities that share cyberthreat information through an ISAC or an ISAO, because such entities are considered to be private sector entities that can share such information with the federal government under CISA. ISACs and ISAOs must of course comply with DHS information sharing procedures in order to receive liability protection. However, the law is unclear as to whether liability protection would extend to an ISAC or ISAO member who in good faith shares cyberthreat information with an ISAC or ISAO, but the ISAC or ISAO fails to follow CISA and DHS requirements for sharing such information.
DHS Web Form
DHS also provides an online form that private sector entities can use to provide cyberthreat information to DHS.
Private sector entities may also share cyberthreat information with DHS via email and qualify for liability protection.
Another critical component of CISA, is non-waiver of privilege. Sharing cyberthreat information also does not waive any privileges or legal protections with respect to data. For example, sharing such information will not waive attorney-client privilege or change the nature of data designated as trade secret. Information shared in accordance with CISA is also exempt from Freedom of Information Act (FOIA) requests. Finally, information shared in accordance with CISA cannot be used by a federal regulatory agency for regulatory purposes, except for the purpose of promulgating new cybersecurity regulations.
Sharing cyberthreat information is voluntary, and it remains to be seen whether CISA is effective in incentivizing the private sector to share cyberthreat information. DHS is strongly supporting and promoting the formation of ISAOs, and one of the selling points for forming or joining an ISAO is the ability to utilize economies of scale by centralizing the process by which information is shared among private sector entities (and with the federal government). However, the liability protection provisions of CISA have yet to be tested. The promise of liability protection is an essential element of Congress’s strategy to encourage greater information sharing within the private sector. But the threat of litigation against a company for erroneously disclosing commercially sensitive, PII, or otherwise confidential information may still be great enough that it prevents companies from taking the leap to do the right thing and share cyberthreat information to protect the common good.
This article was co-authored by Emily Duke, the founder of Duke Law Office and CyberSmart Law. She can be reached at [email protected] Tony Mendoza