Under CISA, Information Sharing Is Caring—If You Do It Right

Cyberattacks and data breaches clog the newsfeeds. And for good reason, when you consider the proliferation of threats. The Kaspersky 2015 Security Bulletin provides startling insights into the scope of the problem:

• Using malware, hackers made nearly 2 million attempts to steal money via online access to bank accounts last year.
• Ransomware was detected on more than 750,000 computers of unique users.
• Kaspersky Lab solutions repelled nearly 800 million attacks launched from online resources around the world.
• 34.2 percent of users’ computers suffered at least one web attack in 2015.

Securing sensitive data against the sheer number of cyberthreats is an impossible task for a single organization. It’s akin to sending one soldier to battle against an army of millions. In an effort to strengthen the nation’s defense against cyberthreats, Congress passed and President Obama signed into law the Cybersecurity Information Sharing Act of 2015 (CISA).

CISA enables the sharing of threat intelligence information—so-called cyberthreat indicators and defensive measures—between the federal government and the private sector. Compliance is voluntary, and the law promises legal liability protection for companies that choose to disclose such information in accordance with the law’s requirements.

The Department of Homeland Security (DHS) has officially launched the mechanism for sharing threat intelligence, known as the Automated Indicator Sharing (AIS) initiative. The government has said that the AIS will serve as the Internet’s “See Something, Say Something.” Once an AIS participant detects and reports a threat, all other participants will know about it. This process is designed to occur at “machine speed,” and “the country as a whole will be better able to manage cyberthreats.”

Does AIS Put Your PII and PHI at Risk?
“Machine speed” is an excellent notion, but weaknesses in the system could put privacy at risk. CIO Dive highlighted a finding from DHS’s privacy impact assessment of the AIS that despite “extensive” processes to remove unrelated personally identifiable information (PII), “there remains a residual privacy risk that these processes may not always identify and remove unrelated PII, thereby disseminating more PII than is directly related to the cybersecurity threat.”

However, as FCW pointed out, DHS will periodically assess these processes to ensure that PII is not “spilled” through the AIS program. According to the privacy impact assessment, DHS can use this feedback to adjust the definition of a particular threat indicator.

Dark Reading points out another finding from the privacy impact assessment, which basically says that AIS participants can use AIS threat intelligence information for other purposes than those that CISA authorizes.

Sharer Beware: What to Know Before Disclosing Information
When considering what information to share, attorney Brad Karp wrote in a Harvard Law School Forum on Corporate Governance and Financial Regulation blog post, that “a company should evaluate whether a cyberthreat indicator or defensive measure implicates sensitive business information, and exercise particular care in evaluating the costs and benefits of sharing this information.”

“Particular care” should also be exercised when actually sharing information, and that means following the guidelines set forth for non-federal entities. In addition, the Dark Reading article and the Harvard Law Review Forum blog post provide some good insights on these guidelines:

  1. Realize that you must remove PII, and that you may have to remove more of it than you think. Beyond basic identifiers, you may have to scrub information protected by other laws, such as the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and the Children’s Online Privacy Protection Act.
  2. Know that the above-mentioned privacy laws do not cover all privacy concerns. Dark Reading cites Jadzia Butler of the Center for Democracy and Technology who wrote that the list excludes the Electronic Communications Privacy Act (ECPA) or the Wiretap Act, “the two laws most likely to be ‘otherwise applicable’ to information sharing authorized by the legislation because they prohibit…the intentional disclosure of electronic communications.”
  3. To receive liability protection, share data only with DHS or with the industry Information Sharing and Analysis Centers (ISACs) that will pass the information on to DHS. While the Act allows you to share cyber threat indicators with other federal agencies, you will not receive liability protection. (By the way, if you have “particularly sensitive” information to share, Karp says to do it anonymously, which you can do through an ISAC or ISAO.)
  4. Understand the additional limitations of the law’s liability protections. For example, Karp pointed out that companies wouldn’t receive the “non-waiver of privilege protection” if they share information with state or local governments or other organizations—it only applies with the federal government.Additionally, Jason Straight, chief privacy officer of UnitedLex, pointed out that there may be legal risks for not only sharing threat data, but for receiving it via AIS. “It is conceivable that the fact that you received notice of a threat through threat sharing, did nothing, and were then compromised by that threat could be used against you in a litigation or even a regulatory action,” he told Dark Reading.

At the End of the Day…
Healthcare. Energy. Finance. Retail. Government. No industry is immune from cyberattacks. Perhaps it’s no surprise, then, that despite privacy and other concerns, the idea of sharing threat intelligence is not unwelcome. Indeed, as Vincent Weafer, senior vice president of Intel Security wrote for Dark Reading, “There is almost unanimous agreement among security professionals that cyberthreat information is valuable to their organizations.”

The devil, of course, is in the details. Weafer added, “As we dig deeper into the attitudes and implementation barriers to sharing that information, we find myths and significant reticence.” One of these myths, he said, was that cyberthreat intelligence does not contain any PII, “even when sharing a file reputation.”

In the long run, the success of the government’s threat intelligence-sharing program will depend on its success. That means program participants will want to see a return on their investment of time and money. As former White House cybersecurity advisor Paul Kurtz said in a DC Inno article, “…critical to the success of any program will be providing value back to those contributing as well as ensuring communications are private.”

This is part 3 of a three-part series on the Cybersecurity Act of 2015. Read part 1: The race to cybersecurity and the ensuing privacy debate. Read part 2: Apple vs. FBI and Cybersecurity Act of 2015: 3 questions to ask before sharing data.

Leave a Comment

Leave a comment

Leave a Reply