Earlier this month, the U.S. Department of Homeland Security (DHS) and the Department of Justice issued the final procedures for how DHS will implement the Cybersecurity Information Sharing Act of 2015 (CISA).
CISA set up incentives for businesses to share threat information with each other and government agencies in hopes that it will eventually result in tools to better protect networks. Under CISA, any company or non-federal entity that shares this information with the government may obtain immunity from any public or private cause of action related to the sharing of cyberthreat indicators or defensive measures.
CISA potentially has a huge impact on how businesses share information, so the final procedures are worth examination.
The more things change...
In February, DHS issued interim CISA guidance and procedures, and the final procedures issued last week are not vastly different than the original guidance.
To obtain the business immunity, companies must follow specific protocols. For example, companies must share the data using one of DHS’ real-time capabilities, including the Automated Indicator Sharing (AIS) capability, approved webform or e-mail. Companies that don’t follow the protocols won’t receive the business immunity but may receive other protections outlined in CISA. Those include exemption from federal antitrust laws; exemption from federal, state, tribal or legal government freedom of information act requests; exemption from certain state and federal regulatory uses; and no waiver of privilege for shared material.
The final guidelines do, however, explain how companies can share cyberthreat information with each other and still obtain the business immunity, said Daniel R. Stoller, senior legal editor at Bloomberg Law Privacy & Security News.
“As long as the companies follow procedures similar to the ones for sharing information with the government, they will receive the business liability under Section 106, as well as an exemption from antitrust violations that may arise from the sharing of information,” said Stoller.
One important fact to note is that under the current guidelines, this sharing and receiving of threat information is on a purely voluntary basis. Randi J. Parker, director of public advocacy at CompTIA, said her organization strongly believes that the framework should remain voluntary. Of course one challenge of the voluntary rule is that, even with the business immunity, companies may still hesitate to share their data.
“At this stage of implementation, companies must thoroughly evaluate the benefits and risks associated with participating in the information-sharing process,” said Parker. “The guidelines further assist in allowing them to complete this evaluation.”
More specifically, the final guidelines lay out the types of information that should be scrubbed before it is sent to the government, including protected health information, human resource information, education history, property ownership and information protected under the Children's Online Privacy Protection Act, explained Stoller.
A few remaining gray areas of the final guidelines may also be of concern to businesses. As laid out in the measure's privacy and civil liberties guidelines, the government may use cyberthreat indicators or defensive measures for non-cybersecurity purposes.
“For example, the government may use the information to prevent or mitigate a specific threat of death or bodily harm and prevent or mitigate the sexual exploitation of a minor, among other purposes,” said Stoller. “This leaves companies with at least some uncertainty about whether they may be able to successfully obtain liability protection if they decide to share cybersecurity threat data with the government.”
Additionally, companies may be reluctant to open up their networks to DHS or the Federal Bureau of Investigation if they don’t know the exact purpose for which the information will be used.
“CISA has stated that there wouldn’t be a negative course of action against the organization when sharing data results in identifying a data breach of some sort or some other concern,” said Parker. “However, CISA’s protections apply only when sharing is conducted in accordance with the law’s specific requirements, including those that restrict the type of information shared, the manner in which information is shared, and the removal of personal information.”
Parker said one concern CompTIA has heard is that there will be an additional burden on public companies because CISA may implicate securities laws since cyber sharing could be considered material information requiring disclosure in a public filing.
Privacy concerns continue
The automated information sharing initiative and its rules could eventually impact many businesses and add complexities when it comes to user privacy.
Privacy apprehensions have surrounded CISA from the beginning. In late 2015, CISA was the subject of passionate lobbying by privacy groups and companies such as Apple and Dropbox, which said CISA fails to protect users' privacy.
In March, DHS released an assessment proclaiming there were some significant privacy concerns to be worked out with the Automated Indicator Sharing initiative, the automated system intended to allow private companies to share cyberthreat indicators with the federal government. CISA requires any personally-identifiable information that is shared through the program to be directly related to a cybersecurity threat. But the report found "residual privacy risk that these processes may not always identify and remove unrelated PII, thereby disseminating more PII than is directly related to the cybersecurity threat.”
And even with the final procedures, some of those types of concerns remain.
“There are some privacy concerns around what types of data that the federal entities are going to share,” said Parker. “However, it was stated in CISA that personal information would be removed. There is always that question of what happens if it doesn’t get removed and it causes a data classification spillage.”