You may have not even noticed it, but discreetly tucked into the massive omnibus spending bill signed into law last month is a provision that effectively makes it safer for companies to share cyber-threat information with one another—but critics argue the bill doesn’t go far enough to ease privacy concerns.
The controversial Cybersecurity Information Sharing Act (CISA), signed into law by President Obama on Dec. 18, 2015, as part of the comprehensive 2,009-page omnibus spending bill, creates a voluntary cyber-threat information-sharing process between industry and the government in the interest of national security. Laws that authorize the sharing of cyber-threat intelligence are nothing new, but companies have been hesitant to do so for a variety of reasons, including the fear of violating antitrust laws, facing a regulatory enforcement action, legal liability, and more.
CISA aims to address many of those concerns by implementing various protections from liability. One provision, for example, states that companies will be immune from any lawsuit that may arise out of the monitoring of an information system or for the sharing or receipt of a “cyber-threat indicator” or defensive measure. “Immunity for sharing data is the golden ticket,” says Boris Segalis, a partner at law firm Norton Rose Fulbright and co-chair of its data protection, privacy, and cyber-security practice group.
“The measure allows manufacturers to exchange real-time cyber-threat information with the federal government without increasing the regulatory burden and not creating any new liabilities—something that was not possible before the law was enacted.”
Brian Raymond, Director of Innovation Policy, National Association of Manufacturers
Companies may only share information that falls within the definitions of a cyber-threat indicator or defensive measure and, thus, how companies share information in practice hinges on how key terms are defined. The term “cyber-threat indicator” refers to information that is necessary to describe or identify attributes of a cyber-security threat.
Examples of cyber-threat indicators cited in CISA include:
Anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a security vulnerability;
A method of defeating a security control or exploitation of a security vulnerability;
Anomalous activity that appears to indicate the existence of a security vulnerability; or
The actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cyber-security threat.
Additionally, the law broadly defines “defensive measure” as “an action, device, procedure, signature, technique, or other measure” that “detects, prevents, or mitigates a known or suspected cyber-security threat or security vulnerability.” CISA explicitly prohibits defensive measures that destroys, renders unusable, provide unauthorized access to, or substantially harms an information system or data stored on, or is processed or transmitted by an information system not belonging to the entity operating the measure or another entity authorized to provide consent.
Segalis says the idea is for companies to share with one another, and the government, how networks are attacked; how those attacks were detected, prevented, or mitigated; and what tactics did or did not work. In some cases, a company or the government may even be able to share the source of the attack, he says.
One benefit of sharing cyber-threat information with one another is that it can help stop repeat cyber-attacks from reoccurring. The same type of malware attack that stole the personal data of millions of Target customers in 2013, for example, could have—and should have—been thwarted the second time around when it penetrated Home Depot’s network one year later after criminals hacked the retailers’ point-of-sale systems. “That information between companies wasn’t shared immediately,” says Montana Williams, senior manager of cyber-security practices at ISACA.
CYBER-SECURITY ACT OF 2015
Below is an excerpt from the Source: Cyber-Security Act of 2015 contained in the omnibus spending bill.
SEC. 104. Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cyber-Security Threats.
(a) Authorization for Monitoring
(1) IN GENERAL—Notwithstanding any other provision of law, a private entity may, for
cyber-security purposes, monitor—
A. An information system of such private entity;
B. An information system of another non-federal entity, upon the authorization and written consent of such other entity;
C. An information system of a federal entity, upon the authorization and written consent of an authorized representative of the federal entity; and
D. Information that is stored on, processed by, or transiting an information system monitored by the private entity under this paragraph.
(2) CONSTRUCTION.—Nothing in this sub-section shall be construed—
A. to authorize the monitoring of an information system, or the use of any information obtained through such monitoring, other than as provided in this title; or
B. to limit otherwise lawful activity.
(b) Authorization for Operation of Defensive Measures
(1) IN GENERAL—Notwithstanding any other provision of law, a private entity may, for cyber-security purposes, operate a defensive measure that is applied to—
A. an information system of such private entity in order to protect the rights or property of the private entity;
B. an information system of another non-federal entity upon written consent of such entity for operation of such defensive measure to protect the rights or property of such entity; and
C. an information system of a federal entity upon written consent of an authorized representative of such federal entity for operation of such defensive measure to protect the rights or property of the federal government.
Source: Cyber-Security Act of 2015
As another incentive for companies to share cyber-threat information, CISA provides that it won’t be considered a violation of the antitrust laws for two or more “private entities to exchange or provide a cyber-threat indicator or defensive measure, or assistance relating to the prevention, investigation, or mitigation of a cyber-security threat, for cyber-security purposes.”
Because sharing information is voluntary, CISA specifies that it creates neither a “duty to share” a cyber-threat indicator or defensive measure, nor “a duty to warn or act” based on the receipt of such information.
In rare instances where an individual’s personally identifiable information (PII) happens to be embedded within a cyber-threat indicator or a defensive measure, CISA mandates that public and private entities remove such PII prior to sharing it with the federal government if it is not “directly related to a cyber-security threat.”
Major tech companies—including Salesforce, Yelp, Twitter, and Apple—have all actively spoken out in opposition of CISA, citing privacy concerns. Most other industries—banks, oil and gas, manufacturing, energy, and telecommunications—have expressed broad support for CISA.
“The measure allows manufacturers to exchange real-time cyber-threat information with the federal government without increasing the regulatory burden and not creating any new liabilities—something that was not possible before the law was enacted,” says Brian Raymond, director of innovation policy for the National Association of Manufacturers (NAM).
“Manufacturers have gone digital, and technology is embedded throughout their products and processes,” Raymond adds. “With valuable intellectual property being leveraged online in an increasingly connected world, this new law will allow us to remain vigilant in protecting this secret sauce that drives job creation here in the United States.”
The Securities Industry and Financial Markets Association (SIFMA)—which represents the voice of securities firms, banks and asset managers—also expressed their support of CISA. “We commend Congress for taking bipartisan action on the critically important issue of cyber-security and moving forward, after years of effort, a voluntary, workable cyber-threat information sharing bill,” Kenneth Bentsen, president and CEO of SIFMA, said in a statement.
Most IT professionals said they, too, support the idea of information-sharing between the private sector and the government. According to a global survey of 2,906 IT professionals conducted by ISACA, 57 percent said they are in favor of CISA, including 72 percent of the 861 IT professionals polled in the United States. Yet, only 31 percent of IT professionals around the globe—including 46 percent of IT professionals in the United States—said they believe their own companies would voluntarily share information in the event of a data breach.
In order for CISA to be effective, “companies need to have their cyber-security folks trained in the right way,” says Williams. That means cyber-security professionals need to have the requisite skills to perform their primary functions, he says.
To help in that effort, ISACA in 2014 launched Cybersecurity Nexus (CSX), which offers a first-of-its-kind training and certification program, the Cybersecurity Fundamentals Certificate, which requires applicants to pass a knowledge-based exam.
For CISA to be applied effectively, it requires not only a willingness to share information, but also a clear understanding by companies of how to set up their cyber-defenses in an effective way to mitigate cyber-threats, says Williams. “There are two pieces: the active legislation and the workforce to execute it, and they both have to go hand-in-hand,” he says.
Further details will be fleshed out in a series of forthcoming policies and procedures, including joint guidance to be developed by the Department of Justice and the Department of Homeland Security.
These policies and procedures must clarify the types of information that would typically qualify as cyber-threat indicators; the types of information deemed personal to a specific individual or identifying a specific individual; and the types of protected information under privacy laws unlikely to be directly related to cyber-security threats.
How these policies and procedures are crafted ultimately will determine whether CISA will make a significant difference in the way companies share, receive, and use cyber-threat information.
The proposed guidelines are expected to be published Feb. 16, 2016, with final guidance expected in June. CISA’s provisions will sunset in 10 years.