The Department of Homeland Security has issued four reports to Congress focusing on information sharing through the DHS portal, also known as the Automated Indicator Sharing (AIS) capability. DHS was required to produce the reports pursuant to the Cybersecurity Act of 2015 (the Act). Two of the reports are final and two are interim.
DHS plans to solicit informal feedback on the interim reports from the critical infrastructure coordinating councils (private sector-specific councils that manage cybersecurity efforts) and privacy groups.
The two final reports
The report of greatest significance to the private sector is the “Guidance to Assist Non-Federal Entities to Share [CTIs] and [DMs] with Federal Entities.” This report discusses how these entities can best share cyberthreat indicators (CTIs) and defensive measures (DMs) through the DHS information sharing portal, and in turn with other federal agencies under the terms of the Act; it also discusses how the liability protections apply. In order to participate in automated information sharing, a private entity must obtain the correct equipment to ensure that machine-to-machine transfers are done properly. Key to this process are the STIX and TAXII automated information sharing programs that will be used to receive the shared information. These programs can be adapted to the changing digital landscape that cybercriminals will surely move to as they seek ways around the systems.
If the DHS information sharing program is to work in the long term, flexibility is necessary. The process as laid out in the two final reports is a good start, and adjustments can be made at the point of the DHS information sharing portal if need be.
It must be underscored that, for the DHS portal to be fully utilized by the private sector, it will be important for the portal to share information in real time, as occurs in private-to-private sharing. If DHS slows down the sharing process too often, including by requiring inspection, by humans, of specific individuals’ personal information, then real-time sharing will be significantly delayed, creating a risk that the entire program’s utility for the private sector may diminish.
A second final report, “Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act of 2015,” issued by DHS in coordination with the ODNI, DOD and DOJ, describes how the federal government currently shares CTIs and DMs within the government. This report provides a general overview of what the intelligence community is doing now with respect to information sharing.
The two interim reports
The “Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government” addresses government receipt and processing of CTIs and DMs from government agencies as well as from the private sector. This document sets out the ABCs of how a federal agency can and should receive CTIs and DMs and how information will be further shared.
The second interim report, “Privacy and Civil Liberties Interim Guidelines: Cybersecurity Information Sharing Act of 2015,” was developed by the United States Attorney General and the Secretary of Homeland Security in coordination with the heads of appropriate federal agencies, as required under the Act. The privacy guidelines provide a framework for federal entities’ receipt, retention, use and dissemination of CTI and DMs obtained pursuant to activities authorized under the Act and other applicable laws.
The privacy report provides a workable paradigm for federal agencies in that it builds upon existing requirements to adhere to the Fair Information Practice Principles (FIPPs) as set forth in the National Strategy for Trusted Identities in Cyberspace, Appendix A, which lays out a framework of principles to follow for protecting individual privacy. Provided that the STIX and TAXII information sharing programs at DHS work and screen the information properly, this privacy framework should operate as intended to protect individuals while allowing sharing in real time, a key goal of the Act. Again, there is a risk that DHS may over-screen CTIs by using human review too frequently, in which case neither public nor private entities will receive shared information in a timely manner.
The privacy report must be reviewed at least every two years by the Attorney General and the Secretary of Homeland Security and updated as appropriate. The AG and the Secretary have the discretion to include private sector entities with relevant industry expertise in the review.