On February 16, 2016 the federal government provided specific guidance on how public and private organizations can voluntarily share so-called “cyber threat indicators” as outlined in the Cybersecurity Act of 2015. On the same day, a federal court ordered Apple to help the FBI unlock the passcode of the iPhone used by one of the attackers in the San Bernardino shootings. (Nine days later, Apple filed to dismiss the court order. Other tech companies—Microsoft, Google, Twitter, Facebook, and Yahoo—have said they will support Apple in federal court, according to a recent New York Times article.)
Both the Cybersecurity Act of 2015 and the Apple-FBI conflict have catapulted the privacy-security debate into the headlines. In the first of my three-part series on the Cybersecurity Information Sharing Act (CISA)/Cybersecurity Act of 2015, I touched on this debate. Now, we’ll consider three questions to help you decide if the benefits of information sharing outweigh the costs for your business.
Question 1: How private is private? The day before President Obama signed the Cybersecurity Act of 2015 into law, a coalition of security experts and civil society groups wrote a letter to Congress opposing the legislation. A key concern was that the law would allow companies to increase the monitoring of their users’ online activities, and allow the sharing of “vaguely defined” cyber threat indicators without sufficient privacy protections.
According to the terms of CISA, organizations must first “remove personal information, or information that identifies a specific person not directly related to a cybersecurity threat, prior to sharing an indicator.” However, the privacy and security experts wrote that, “The current bill includes a standard that would allow companies to default to sharing personal information not necessary to describe a cyber threat, rather than removing it, and requires only that companies engage in a cursory review of indicators to identify personal information.”
The Department of Homeland Security (DHS), the agency responsible for administrating the information-sharing portal, says that the law provides what it calls “two layers of privacy protections.” One is the de-identification process. The second is that DHS “is required to and has implemented its own process to conduct a privacy review of received information.” In addition, the technical parameters of the portal itself “function as a kind of uncodified privacy protection and set the stage for almost every other element of information sharing included in CISA,” writes Susan Hennessey, managing editor of the Lawfare and General Counsel of the Lawfare Institute.
Question 2. What happens to the data after it’s shared? The answer to this question depends on who you ask. David Williamson, vice president of professional services at MetricStream, said in a CSO article that the law’s (liability protection) incentives are for companies “to pass information about people that can’t be proven not to be threat indicators…to the DHS and then to the NSA, where it will be linked to other information the feds keep on its citizens.
“Once aggregated, linked and shared among the various federal agencies, there are no limits to the purposes for which this information can be used,” he said.
As part of its guidance, DHS published several reports about information sharing through its portal, known as the Automated Indicator Sharing (AIS) capability. One of these is an interim privacy report that provides a framework for how federal entities handle the data. An example: “Specifically, cyber threat indicators and defensive measures provided to the Federal Government under CISA may be disclosed to, retained by, and used by…the Federal Government solely for a cybersecurity purpose….”
“These authorized activities of the federal government resulting from the shared information may lead to a proceeding, such as a federal criminal prosecution,” wrote attorneys Sean Hoar, Adam Greene, and Bryan Thompson on the Privacy & Security Law Blog by law firm Davis Wright Tremaine. “The Act does not prevent the disclosure of a cyber threat indicator or defensive measure in a criminal prosecution.”
The attorneys added, “Companies concerned about the confidentiality or proprietary nature of their information should carefully consider the business impact of any information sharing when that information might be referenced in a public proceeding. The Act does, however, exempt shared information from disclosure under federal and state freedom of information acts.”
Question 3:How safe is the information I share? Once a company has divulged that information, just how well protected is it?
Aware of its vulnerabilities, the federal government is taking steps to strengthen its own cybersecurity posture. In February, President Obama sought $19 billion to address cybersecurity for the federal government in 2017, $5 billion more than this year. This budget request is part of President Obama’s newly released Cybersecurity National Action Plan. In addition, $3.1 billion dollars has been allocated for modernizing the government’s outdated IT infrastructure. The government is also hiring, for the first time, a federal CISO to oversee its cybersecurity efforts.
As part of these cybersecurity efforts, President Obama also established, by executive order, a Federal Privacy Council. “The federal government is operating under the auspices of some very old privacy law and interpretations of that law. …,” Karen Neuman, DHS’ chief privacy officer told IAPP’s The Privacy Advisor. “Technology is moving at lightning speed, and the way that people interact with that is moving equally fast, and the law just can’t keep up. The council will be well positioned on how to weigh in on bringing those laws into the modern age and allowing privacy professionals to be agile in how they respond.”
Let’s All Work Together
Whether or not you believe that Apple should help the FBI unlock the attacker’s iPhone, and whether or not you choose to share cyber threat information with the government, there is value in pooling resources, or, as CFO magazine calls it “coordinating a defense.” Ed McNicholas, a law partner at Sidley Austin told CFO that, “It’s been a problem for cybersecurity defense in corporate America that the attackers are often more organized…. The defense has not been as organized.”
The benefit of a coordinated defense, according to CFO, is that businesses can more rapidly respond to cyber attacks. A report by Mandiant Consultants found that in 2014 the median amount of time hackers lurked on a victim’s network was 205 days. But that time could be cut drastically if another company detects that an attack is in progress. Sharing that threat information with the victim company could avert a lot of damage. As Matt McCabe, a senior vice president in the cyber practice of insurance broker Marsh, told CFO: “From a CFO’s perspective, if I can detect and mitigate that threat within weeks instead of months—maybe within days instead of weeks or months—I have a real chance to preserve the value of my company.”
In the first article in this series, I discussed the privacy v. security debate. In the final article of this series, we’ll get an expert opinion on how businesses can legally protect themselves, whether or not they choose to share information as outlined in CISA/Cybersecurity Act of 2015.