Cyber threat information sharing has the potential to provide numerous benefits for organizations (both public and private) faced with cyberattacks, which are increasing in frequency and sophistication. Cyber threat information sharing can enable organizations to enhance their cyber preparedness and defenses by leveraging the knowledge and experience of a broader community and improve their awareness of the current threat landscape. Recognizing the benefits of threat information sharing, Congress passed the Cybersecurity Information Sharing Act of 2015 (CISA), which was signed into law on December 18, 2015, to encourage sharing of cybersecurity information by providing a safe harbor from unfounded litigation while at the same time protecting individuals’ privacy. As mandated by CISA to assist private entities and federal entities seeking to share cybersecurity information, the Department of Homeland Security (DHS) and Department of Justice (DOJ) recently released a series of reports explaining the types of information that can be shared and how to share that information. This post focuses on the guidance for private entities seeking to participate in information sharing under CISA provided in the DHS’s and the DOJ’s Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 (the “Guidance”).
CISA creates a voluntary system for sharing cybersecurity information – specifically, cyber threat indicators (CTIs) and defensive measures (DMs) – and encourages private entities to share such information by providing various protections. Specifically, CISA provides companies with (i) liability protection for sharing information in accordance with CISA, (ii) an exemption from antitrust laws for sharing CTIs and DMs with competitors, (iii) an exemption from public disclosure and open records laws, (iv) protection from government use of shared information to regulate or take enforcement actions against lawful activities of the company, and (v) non-waiver of privileges and trade secret protections when information sharing is limited to the federal government. To receive these protections, a company must meet the following requirements: (i) the information sharing must be for the purpose of protecting an information system or the data on an information system from a cybersecurity threat or vulnerability, (ii) the information shared must meet the definition of a cyber threat indicator or defensive measure, and (iii) personal information not directly related to a cybersecurity threat must be removed from a cyber threat indicator or defensive measure.
What information can be shared?
Companies can share CTIs and DMs with other private entities and public entities for the purpose of protecting an information system or information from a cybersecurity threat or security vulnerability. The term “cyber threat indicators” has a detailed and somewhat technical definition, but simply put, it includes any information describing or identifying security vulnerabilities or the tactics, tools and procedures that can be used by attackers to gain unauthorized access to information systems. In the Guidance, the DHS provided a number of examples of CTIs, such as:
- Web server logs showing that a particular IP address is testing whether a company has patched a vulnerability on its website;
- Techniques that permit unauthorized access to an industrial control system;
- Malware found on a company’s network;
- Domain names or IP addresses associated with botnet command and control servers;
- Types of data targeted by an attacker, as a way of warning other companies with similar data;
- Discovered vulnerabilities; and
- IP addresses sending malicious traffic in connection with a distributed denial service attack on a company’s website.
To address privacy concerns, companies must remove any information from a CTI that it “knows at the time of sharing” to be personal information and that is not directly related to a cybersecurity threat. The Guidance explains that CTIs typically consist only of technical information about a cybersecurity threat and generally should not include personal information. CISA does not define “personal information,” but the Guidance provides the following examples of personal information:
- Individually identifying health information (e.g., physical or mental health conditions or provision of health care to the individual);
- Human resources information (e.g., an employee’s personnel file);
- Consumer information (e.g., a customer’s purchase history, preferences and complaints);
- Education history (e.g., transcripts and training);
- Financial information (e.g., bank statements, credit card statements and credit reports);
- Information about property ownership (e.g., Vehicle Identification Numbers); and
- Identifying information of children under the age of 13
To help companies determine whether personal information is “directly related” to a cybersecurity threat – and thus can be shared – the Guidance includes a spear-phishing email as an example. The personal information of the sender of the spear-phishing email, including the name, email address and content of the email, could all be considered “directly related to a cyber threat” and thus could be included. However, the names and email addresses of the targets of the email would be personal information not directly related to a cybersecurity threat and shouldn’t be included as part of the CTI. In determining whether information should be removed, companies should consider the Guidance that states, “Information is not directly related to a cybersecurity threat if it is not necessary to assist others detect, prevent, or mitigate the cybersecurity threat.” Additionally, the Guidance suggests that companies use “standardized fields in structured formats” as a means of limiting information to CISA’s requirements and avoiding the sharing of personal information.
A “defensive measure” is defined as an action, device, procedure, signature, technique or other measure applied to an information system or computerized data that addresses a known or suspected cybersecurity threat or vulnerability. For example, a DM includes information about a security device that protects the company’s network (such as configurations of a firewall appliance) or techniques for protecting against phishing campaigns. The definition of DM is fairly broad, but CISA explicitly excludes a measure that provides unauthorized access to or substantially harms an information system not owned by the company applying the measure (i.e., hacking back). Although not expressly required by CISA, DHS encourages companies to remove personal information from a DM.
How can the information be shared in compliance with CISA?
The Guidance explains that CTIs and DMs can be shared with the federal entities through four mechanisms: (i) an online portal (i.e., the “Automated Indicator Sharing” initiative); (ii) a web form; (iii) an email to the DHS; and (iv) by submission through Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAO), such as the Financial Services ISAC and the Oil and Natural Gas ISAC. Importantly, companies that share threat information with federal entities through any other process will not receive CISA’s liability protection, but will receive the other CISA protections (i.e., the antitrust exemption, non-waiver of privileges, exemption from public disclosure laws, etc.). Companies may also share CTIs and DMs with other private entities directly or through ISACs and ISAOs, and as long as the CISA requirements for sharing are satisfied, such companies will receive the full array of protections afforded under CISA.
Where do companies go from here?
CISA is certainly not a panacea to cybersecurity in the U.S., but it’s a positive step. Sharing cybersecurity information with private and public partners can provide numerous benefits and can be an important part of a comprehensive cybersecurity program. However, implementing an information sharing program in accordance with CISA should not be a foregone conclusion for all companies. Companies that are already part of an ISAC or ISAO and have policies and procedures in place for sharing of cybersecurity information are likely best positioned to take advantage of the protections afforded by compliance with CISA. Such companies should still work closely with in-house and outside counsel to ensure that the existing policies and procedures are appropriately tailored to comply with CISA.
Companies that do not have existing information sharing programs in place should first consider establishing an interdisciplinary team from IT, compliance and legal (or the existing data security incident response team, if one is in place) to better understand the potential benefits and costs associated with establishing and maintaining a CISA-compliant program. For example, CISA requires companies that share or receive CTIs or DMs to implement “security controls” to protect such information from unauthorized access or acquisition. A company that decides to share information under CISA should establish policies and procedures in accordance with CISA to collect, scrub and share the types of information that it deems appropriate for sharing. The National Institute of Standards and Technology’s Guide to Cyber Threat Information Sharing, SP 800-150 (2nd Draft April 2016), is an excellent resource for companies establishing cyber threat information sharing programs. Ultimately, whether and how to share information under CISA should be a consideration for the company’s overall cybersecurity strategy.