Earlier this month, the U.S. Department of Homeland Security (DHS) and Department of Justice (DOJ) issued joint interim guidance on private entities’ sharing of cyber threat indicators and defensive measures with the government and other private entities. As we have written, Congress required the agencies to develop and publish this guidance through the Cybersecurity Information Sharing Act (CISA). The guidance provides helpful examples of information that may or may not be shared, along with details about the information sharing mechanism. Concurrently, DHS and DOJ published interim procedures for the receipt of cyber threat indicators and defensive measures, and privacy and civil liberties guidelines.
Below are the key takeaways from the guidance.
Cyber Threat Indicators
The CISA guidance explains that cyber threat indicators must be “directly related to and necessary to identify or describe a cybersecurity threat.” This information should constitute observable characteristics, such as IP addresses, file hashes, domain names, URLs, malware files, and malware artifacts. Some examples of cyber threat indicators that may be shared under CISA include –
- The sender email address and certain content of a malicious email (including malicious URL in the email, malware attachments, subject line, Message ID, and X-Mailer). However, information about the recipients of the message would be personal information and typically should not be shared
- Web server logs could show that a particular IP address has sent traffic that appears to be testing for security vulnerabilities
- Security researchers could report on vulnerabilities that they discovered; likewise, software publishers could self-report vulnerabilities in their own software
- A certain pattern of domain name lookups could correspond to a malware infection
- The domain name and IP addresses associated with botnet command and control servers
- The IP addresses used to conduct a distributed denial of service attack
- A company that had certain types of files stolen from its network could describe the types of files targeted to warn other companies with similar assets
The CISA guidance explains that a defensive measure “will generally consist principally of technical information that can be used to detect and counter a cybersecurity threat” – some examples include –
- A computer program that identifies a pattern of malicious traffic
- A signature that could be loaded into an intrusion detection system to detect an intrusion bearing certain characteristics
- A firewall rule that blocks certain malicious traffic
- An algorithm that can search traffic logs to discover anomalous patterns that may indicate malicious activity
- An automated technique for matching incoming traffic against a set of content known to be associated with a specific cybersecurity threat
CISA requires a business to review a cyber threat indicator before sharing it (whether by manual means or through a technical process) to assess whether the indicator contains any personal information not directly related to the cybersecurity threat. The CISA guidance identifies certain types of personal information protected that are unlikely to be related to a cybersecurity threat – and, therefore, should not be shared if known to be present in the cyber threat indicator:
- Protected health information under HIPAA, such as medical records, laboratory reports, or hospital bills
- Human resources information – information contained within an employee’s personnel file
- Consumer information or history, such as information related to an individual’s purchase, preferences, complaints, and credit
- Education history, such as education records, transcripts, and information regarding training, such as professional certifications
- Identifying information about property ownership that is not publicly available, e.g., vehicle identification numbers
- Identifying Information of children under the age of 13.
The CISA guidance also cautions that entities “exercise particular care” when reviewing and sharing content of communications, as content may contain sensitive or protected information.
Although CISA does not require the removal of personal information from defensive measures, the CISA guidance highlights the possibility that a defensive measure may contain a cyber threat indicator. Thus, removal of personal information may be required “for information within the defensive measure that is also a cyber threat indicator.”
Businesses may share cyber threat indicators and defensive measures through several mechanisms:
- Through the DHS “Automated Indicator Sharing” (AIS) initiative, which would require participants to obtain a client that communicates with DHS servers. This initiative would facilitate the sharing of structured data using standardized fields and communication protocols “in a secure and automated manner”
- Through a DHS web form and email
- Through Information Sharing and Analysis Organizations and Centers (ISAOs and ISACs) – which, in turn, will share the data with DHS
- With other federal or non-federal entities
However, when sharing data with the federal government under CISA, sharing must be with DHS in order for liability protection to attach. Sharing with other federal entities, such as the FBI or Department of Defense, will not provide liability protection, although other legal protections provided by CISA would be available (e.g., an exemption from federal antitrust laws and federal and state freedom of information and similar laws, and a non-waiver of any applicable privilege).
When submitting information, a business must identify the business sector to which it belongs and its approximate geolocation (e.g., city and state). – This information will be shared among federal agencies. However, although a business must identify itself to DHS, the business may choose not to allow DHS to share its identity with other federal entities.
Receipt of Information by the Government
After DHS receives cyber threat indicators and defensive measures, the data will be analyzed via automated processes to identify errors, such as additional data fields that are not part of the AIS standard, missing required information, and the presence of extraneous personal information in the data. If errors are present, the information will be flagged for manual review. The cyber threat indicator or defensive measure will be shared automatically without the flagged fields and subsequently updated based on the results of the manual review. If a governmental agency identifies personal information that is known not to be directly related to uses authorized under CISA, the Privacy and Civil Liberties Interim Guidelines require the government to delete that information.
The CISA interim guidance provides a helpful explanation of the types of information that would be appropriate to share under CISA and provides an overview of how that sharing may occur. Final guidance is expected by June 15, 2016. Businesses that wish to share information with the government under CISA should review and evaluate their relevant policies to determine whether any updates may be warranted, pending issuance of the final guidance. We will continue to monitor updates to the CISA guidance and update this blog when the final guidance is issued.