On December 18, 2015, President Barack Obama signed into law the Cybersecurity Information Sharing Act of 2015 (CISA) as part of the 2016 omnibus spending bill. CISA encourages businesses and the federal government to share cyber threat information in the interest of national security.
As we have written on this blog, CISA’s previous iterations were not without controversy. Some privacy advocates, such as the ACLU, view CISA’s inclusion in the spending bill as an effort to “sneak” the bill into law and circumvent any additional debate over its privacy protections. The White House, on the other hand, has continuously supported Congress’s efforts to pass some form of cybersecurity information sharing legislation.
We have outlined some of the more significant takeaways from CISA below.
Sharing of cyber threat information by the federal government
CISA broadly authorizes the federal government to share unclassified “cyber threat indicators” and “defensive measures” – technical data that indicates how networks have been attacked, and how such attacks have been successfully detected, prevented, or mitigated (collectively, “cyber threat information”). The law authorizes the sharing of unclassified information among federal agencies, as well as with businesses and the public. Classified cyber threat information, in contrast, may be shared outside the government only with entities that have appropriate security clearances.
Cybersecurity best practices guidance
CISA requires the federal government to release periodic “cybersecurity best practices” that are tailored to the particular challenges faced by small businesses.
In the provision that both raised the concerns of privacy advocates and was viewed as essential to enabling the sharing of cyber threat information with the government by businesses, CISA authorizes businesses to monitor their information systems and all information stored on, processed by, or transiting the information system, as long as the monitoring is for the purpose of protecting the information or information systems. The law grants to businesses full immunity from government and private lawsuits and other claims that may arise out of CISA-compliant monitoring in which businesses may engage.
Sharing of cyber threat information by businesses
CISA enables businesses to share cyber threat information with seven specified federal agencies. These agencies include the Department of Defense (including the NSA) and the Office of the Director of National Intelligence, as well as the Department of Homeland Security. Businesses will also enjoy immunity from any lawsuit that may arise out of such sharing. However, CISA also provides that sharing of cyber threat information with the federal government will not constitute the waiver of any applicable provision or protection provided by existing law, including trade secret protection.
To address privacy and civil liberty concerns, CISA requires that the federal government retain, use, and disseminate cyber threat information in a way that protects any personally identifiable information contained within cyber threat indicators from unauthorized use or disclosure. Further, CISA restricts the government’s disclosure, retention, and use of cyber threat information to certain enumerated purposes. Use of cyber threat information will also be subject to forthcoming policies, procedures, and guidelines governing the sharing of cyber threat information. These requirements will incorporate security controls intended to protect against unauthorized access to or acquisition of the cyber threat information.
CISA requires businesses to determine whether any personal information is included in any cyber threat indicators they share with the federal government, and to remove such personal information if it is not “directly related to a cybersecurity threat.” However, this removal requirement applies only to information that is known, at the time of sharing, to be personal or personally identifiable to a specific individual. Businesses are required to develop “technical capability” to assist in the identification and removal of personal information. It remains to be seen how this scrubbing requirement may be implemented in light of the inherent difficulty in efficiently and quickly parsing personal information from large data sets that may contain relevant cyber threat information.
The law requires the US Attorney General and Secretary of Homeland Security to publish guidelines to assist businesses in identifying information that would qualify as a cyber threat indicator and eliminating personal information from shared cyber threat information. These guidelines will seek to (1) identify cyber threat indicators that contain personal information and are unlikely to directly relate to a cybersecurity threat, and (2) identify types of information that is protected under privacy laws and are unlikely to directly relate to a cybersecurity threat.
CISA requires the Attorney General and the Secretary of Homeland Security to jointly submit to Congress interim CISA policies and procedures by February 16, 2016, and publish final policies and procedures by June 15, 2016. We will continue to monitor the policies and procedures for cyber threat information sharing on our blog as they are submitted.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.