by Tony Mendoza, Esq. and Emily Duke, Esq.
Security experts have long said that sharing intelligence about cyber-threats is essential to the defense of information systems throughout all aspects of our society: business, government, and community-based organizations. These systems are like the central nervous system for our economy and much of our society – except that we don’t have a centralized brain processing information from all those systems to readily identify when trouble is present on any one system, and learn from different responses to figure out which damage control techniques are the most effective. Cybersecurity experts have long understood the need to share cyber-threat information – recognizing that sharing threat information helps achieve a common good from which everyone benefits. Governments at all levels share a responsibility to protect the nation from cyberattacks and criminal activity, but because of the largely private ownership and operation of much of the country’s IT infrastructure and systems, the ultimate responsibility for assuring that cyber-threats don’t bring our economy to a standstill is a shared, public-private one.
Recognizing that information must be shared in order for one organization to spot a threat that was encountered by a different, but similar, organization, robust private and public entities have voluntarily formed organizations to share intelligence about cyber-threats. These are called Information Sharing and Analysis Centers (ISACs). ISACS typically form around “communities of interest” to collectively share information, which the ISAC’s experts analyze, thus enabling the respective communities to take proactive steps in which to protect their information systems and other critical assets. ISACs have formed around financial services sector (the Financial Services ISAC), retailers (the Retail Cyber Intelligence Sharing Center), state governments (the Multi-State ISAC), the health care industry (the National Health Information Sharing and Analysis Center), and others.
But not all organizations have the financial or human resources to participate in ISACs. Therefore, in 2015, President Obama officially called for the Department of Homeland Security (DHS) to “strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs).” The vision is that ISAOs will be more accessible to main street businesses and local governments, and share a variety of information, including best practices and threat information. Executive Order 13691 led to the establishment of an ISAO Standards Organization that is working to create a cybersecurity information sharing ecosystem – a “white hat network” built on trust.
But sharing can be tricky business: if an organization shares the fact that it has been successfully hacked, even if it has no data breach notification legal obligations, that information can have significant adverse impacts in terms of liability and market reaction. To create a framework for an information-sharing trust environment to flourish, in 2015, Congress passed the Cybersecurity Information Sharing Act (CISA). CISA establishes a legal structure through which private sector entities can share cyber-threat information without incurring liability for disclosing such information.
In the case of sharing cyber-threat information among private sector entities, CISA requires that any shared information be reviewed and scrubbed of any personally identifying information (PII) “not directly related to a threat” that the sharing entity knows about at the time it shares the information. In addition, any private sector industry seeking to avail itself of CISA’s liability protections must utilize security controls to protect against unauthorized access to or disclosure of the shared information. CISA also provides exemption from anti-trust actions for companies sharing cyber-threat information in order to prevent, investigate, or mitigate cyber-threats.
In the case of sharing cyber-threat information with the federal government, CISA has slightly different rules and benefits. Importantly, CISA provides liability protection to a federally regulated private sector entity communicating with its federal regulatory authority with respect to a cybersecurity threat. Thus, a regulated telecommunications carrier communicating with the FCC about a cybersecurity threat could do so and be protected from regulatory fines . . . but only if the reporter follows the correct reporting mechanisms and rules. Specifically, a private sector entity must follow procedures published by DHS. In June 2016, DHS and the Department of Justice issued guidance explaining the information sharing methods within DHS’s “capabilities and process” that qualify a private sector entity for liability protection under CISA that might otherwise arise out of the act of sharing data with the federal government. These methods are:
1. DHS Automated Information Sharing (AIS) – This is the principle mechanism for sharing cyber-threat information with DHS. AIS is the technical protocol for sharing cyber threat information in a secure and automated manner. Once cyber threat information is received, analyzed, and sanitized, AIS shares the information with all AIS participants. AIS will not provide the identity of the submitting entity to other AIS participants unless the submitter consents to share its identity as the source of the cyber threat information.
2. Sharing Through an ISAC or ISAO – Liability protection extends to private entities that share cyber-threat information through an ISAC or an ISAO because such entities are considered to be private sector entities that can share such information with the federal government under CISA. ISACs and ISAOs must of course comply with DHS information sharing procedures in order to receive liability protection. However, the law is unclear as to whether liability protection would extend to an ISAC or ISAO member who in good faith shares cyber-threat information with an ISAC or ISAO, but the ISAC or ISAO fails to follow CISA and DHS requirements for sharing such information.
3. DHS Web Form – DHS also provides an on-line form that private sector entities can use to provide cyber threat information to DHS.
4. E-Mail – Private sector entities may also share cyber threat information with DHS via email and qualify for liability protection.
Another critical component of CISA, is non-waiver of privilege. Sharing cyber-threat information also does not waive any privileges or legal protections with respect to data. For example, sharing such information will not waive attorney-client privilege or change the nature of data designated as “trade secret”. Information shared in accordance with CISA is also exempt from Freedom of Information Act (FOIA) requests. Finally, information shared in accordance with CISA cannot be used by a federal regulatory agency for regulatory purposes, except for the purpose of promulgating new cybersecurity regulations.
Sharing cyber-threat information is voluntary, and it remains to be seen whether CISA is effective in incentivizing the private sector to share cyber-threat information. DHS is strongly supporting and promoting the formation of ISAOs, and one of the selling points for forming or joining an ISAO is the ability to utilize economies of scale by centralizing the process by which information is shared among private sector entities (and with the federal government). However, the liability protection provisions of CISA have yet to be tested. The promise of liability protection is an essential element of Congress’s strategy to encourage greater information sharing within the private sector. But the threat of litigation against a company for erroneously disclosing commercially sensitive, PII, or otherwise confidential information may still be great enough that it prevents companies from taking the leap to do the right thing and share cyber-threat information to protect the common good.