The Department of Homeland Security (DHS) and the Department of Justice (DOJ) last week issued final public guidance for the sharing of cybersecurity information between the U.S. Government and the private sector, as required under the Cybersecurity Act of 2015 (“CISA”). The detailed guidance identifies the type of information that can be shared within the CISA framework—so-called “cybersecurity threat indicators” and “defensive measures” —as well as information that should be removed from reports submitted to DHS, primarily personal information and information that is not related to the cybersecurity issue, such as financial data and information about minors.
- CISA defines threat indicators broadly to include information that is needed to describe or identify malicious reconnaissance of information systems, methods to defeat defenses, security vulnerabilities, or hacks to trick users to inadvertently undermine a system or security measure.
- Information sharing under CISA is a voluntary process and private sector entities can determine when to do so and the level of detail to be included in the reporting. For example, information that would not normally need to be shared would include personal information about the recipient of a phishing email.
The final CISA guidance, which is broken down into four documents,1 also provides details on the process by which the private sector can share threat indicators and defensive measures through a DHS portal as well as via email and through public-private information sharing organizations.2 A key consideration is that only sharing via the DHS portal will invoke the specific liability protection provisions under CISA Section 106. The protections afforded under CISA include limitation on liability for the sharing of cybersecurity information; an antitrust exemption for sharing threat indicators and defensive measures; a non-waiver of privileges; and protection of trade secrets and proprietary information. In addition, CISA provides protections against government regulators using information shared under CISA in an enforcement action against the company sharing the information. However, CISA does not shield companies from any liability arising out of any cyber breach or data compromise. Other elements of the guidance address privacy and civil liberty guidelines for the use and retention of information provided to DHS.3
Sharing of cybersecurity threat indicator information under CISA is a key facet of the U.S. Government’s efforts to step up closer cooperation with the private sector, which controls most of the internet infrastructure that is at risk of cyber-attacks. Companies considering sharing information with DHS under the provisions of CISA should consider establishing internal protocols for managing the process and determining which information to disclose. We will be monitoring developments in this area and the extent to which information sharing practices evolve and impact the equities of the private sector.