On February 16, 2016, Secretary of Homeland Security Jeh Johnson announced interim guidelines and procedures for sharing cyber threat indicators under the Cybersecurity Information Sharing Act of 2015 (“CISA”). Because the guidelines are voluntary, the next question is, should your company share information with the Government?
With these interim guidelines and procedures, the Government seeks to limit the impact to companies and individuals from sharing information on “cyber threat indicators.” Note that a “cyber threat indicator” includes “information that is necessary to describe or identify” cyber threats, as well as methods to trick legitimate users into providing their credentials unwittingly, “[m]alicious reconnaissance,” and “method[s] of defeating a security control or exploitation of a security vulnerability” (otherwise known as malware, backdoors, and insider threats).
As part of this effort to protect privacy, DHS’s Computer Emergency Readiness Team (“US-Cert”) released the Automated Indicator Sharing (“AIS”) initiative to automate the process of real-time information sharing about cyber threats and cyber threat indicators with the private sector and between federal agencies, while simultaneously protecting any protected information that may have been compromised. The guidelines also (i) provide “targeted liability protection for sharing cyber threat indicators” with AIS, and (ii) seek to “encourage companies to work with DHS to set up the technical infrastructure needed to share and receive cyber threat indicators in real-time.”
AIS is designed to remove all Personally Identifiable Information not directly related to the cyber threat before sharing any information. In addition, AIS procedures render the source of the information anonymous before that information is shared (unless the source has agreed to be named). AIS scrubs the indicators for information that would be protected under privacy laws, sharing only “information that is directly related to and necessary to identify or describe a cybersecurity threat.”
Secretary Johnson emphasized that “[t]he law importantly provides two layers of privacy protections. Companies are required to remove personal information before sharing cyber threat indicators and DHS is required to and has implemented its own process to conduct a privacy review of received information.”
What types of information would be shared?
A few examples are specifically listed. These include:
Web server log files showing repeated access attempts or tests from a particular IP address;
The discovery of a backdoor that allows unauthorized access;
A pattern of domain name lookups that indicate a malware infection;
Warnings about files that may have been exfiltrated from a company; and
Actions taken to mitigate any of these dangers.
So, should your company participate in this voluntary information sharing program?
Of course, that depends. When deciding whether to share information with the Government, consider all of the private information your company holds: the company’s IP and trade secrets; the information of your officers, directors, and employees; and personal and billing information for your customers and clients. Sharing any of this information across state, federal, and international borders requires an analysis of numerous laws and regulations, possibly even implicating the newly announced US-EU “Privacy Shield.”
In addition, while these new regulations require all shared data to be rendered anonymous, unintended disclosures happen. Among other things, such a disclosure could spark sanctions under a variety of state, federal, and international privacy laws prohibiting disclosure of protected information. And, of course, information shared with the Government is not necessarily secure—as demonstrated by the theft of 20 million federal employees’ records from the Government last year.
Perhaps most troubling, however, is that companies choosing not to participate in the program are not entitled to access its information. This will create a class of data “haves” and “have-nots,” solely based on a company’s decision to participate in the program. While access to real-time information about cyber threats would provide an obvious benefit, individual businesses will need to decide whether that access is worth the risk, including the risk of unintended disclosure. Any company that decides it is not worth the risk will be excluded from the cyber threat information. Understand, too, that a decision by a company not to participate in the program could be used against it in litigation, the media, or otherwise.
While the tension between privacy and security is fundamental, the cybersecurity battle is only just beginning. For companies now faced with the decision whether or not to participate in the just-announced DHS interim guidelines, this tension is currently at the forefront.