As we wrote previously, the federal government released several guidance documents last month implementing The Cybersecurity Information Sharing Act (CISA). Among these was the Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under CISA published by the Department of Homeland Security and Department of Justice. This document provides guidance on the circumstances in which personal information of a specific individual may – or may not – need to be shared in order to adequately describe a cyber threat indicator (CTI). In addition, the release identifies certain categories of information likely to be considered individually identifiable information unrelated to a cybersecurity threat, and provides guidance on sharing CTIs with the government in a manner covered by the Act’s liability protections.
Under CISA, a company may share CTIs and defensive measures (DMs) for a cybersecurity purposes “notwithstanding any other provision of law,” and may receive certain liability protections for sharing in accordance with the Act. However, companies must, prior to sharing, remove any information from a CTI or DM that it knows at the time of sharing to be personal information of – or identifying – a specific individual that is not directly related to the CTI or DM.
A major concern of the guidance is the tension in CISA between sharing enough information to adequately convey a cybersecurity threat, while at the same time minimizing the personal information that is shared. As an example, the guidance notes that:
Information is not directly related to a cybersecurity threat if it is not necessary to assist others detect, prevent, or mitigate the cybersecurity threat. For example, a cyber threat indicator could be centered on a spear phishing email. For a phishing email, personal information about the sender of email (“From”/“Sender” address), a malicious URL in the e-mail, malware files attached to the e-mail, the content of the e-mail, and additional email information related to the malicious email or potential cybersecurity threat actor, such as Subject Line, Message ID, and X-Mailer, could be considered directly related to a cybersecurity threat. The name and e-mail address of the targets of the email (i.e., the “To” address), however, would be personal information not directly related to a cybersecurity threat and therefore should not typically be included as part of the cyber threat indicator.
Other examples in the guidance of information that may be shared as part of a CTI include:
- A company could report that its web server log files show that a particular IP address has sent web traffic that appears to be testing whether the company’s content management system has not been updated to patch a recent vulnerability.
- A security researcher could report on her discovery of a technique that permits unauthorized access to an industrial control system.
- A software publisher could report a vulnerability it has discovered in its software.
- A managed security service company could report a pattern of domain name lookups that it believes correspond to malware infection.
- A manufacturer could report unexecuted malware found on its network.
- A researcher could report on the domain names or IP addresses associated with botnet command and control servers.
- An engineering company that suffers a computer intrusion could describe the types of engineering files that appear to have been exfiltrated, as a way of warning other companies with similar assets.
- A newspaper suffering a distributed denial of service attack to its web site could report the IP addresses that are sending malicious traffic.
The guidance also highlights personal information considered “unlikely to be directly related to a cybersecurity threat.” This includes personal information protected under other privacy laws such as the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act, the Family Educational Rights and Privacy Act, and Gramm-Leach-Bliley.
The document clarifies that the specific liability protections in CISA granted to private entities who share CTIs with the federal government attach only for sharing that is done (i) through the DHS automated capability (Automated Indicator Sharing – AIS), (ii) by filling out a Web form on a National Cybersecurity & Communications Integration Center website, (iii) via email with DHS, or (iv) through an Information Sharing and Analysis Organizations (ISAO).