To Share or Not to Share (with the Government)? That is the Question: DHS Announces Interim Guidelines for Sharing Cyber Threat Indicators

Sheppard Mullin Richter & Hampton LLP
Contact


On February 16, 2016, Secretary of Homeland Security Jeh Johnson announced interim guidelines and procedures for sharing cyber threat indicators under the Cybersecurity Information Sharing Act of 2015 (“CISA”). Because the guidelines are voluntary, the next question is, should your company share information with the Government?

With these interim guidelines and procedures, the Government seeks to limit the impact to companies and individuals from sharing information on “cyber threat indicators.” Note that a “cyber threat indicator” includes “information that is necessary to describe or identify” cyber threats, as well as methods to trick legitimate users into providing their credentials unwittingly, “[m]alicious reconnaissance,” and “method[s] of defeating a security control or exploitation of a security vulnerability” (otherwise known as malware, backdoors, and insider threats).

As part of this effort to protect privacy, DHS’s Computer Emergency Readiness Team (“US-Cert”) released the Automated Indicator Sharing (“AIS”) initiative to automate the process of real-time information sharing about cyber threats and cyber threat indicators with the private sector and between federal agencies, while simultaneously protecting any protected information that may have been compromised. The guidelines also (i) provide “targeted liability protection for sharing cyber threat indicators” with AIS, and (ii) seek to “encourage companies to work with DHS to set up the technical infrastructure needed to share and receive cyber threat indicators in real-time.”

AIS is designed to remove all Personally Identifiable Information not directly related to the cyber threat before sharing any information. In addition, AIS procedures render the source of the information anonymous before that information is shared (unless the source has agreed to be named). AIS scrubs the indicators for information that would be protected under privacy laws, sharing only “information that is directly related to and necessary to identify or describe a cybersecurity threat.”

Secretary Johnson emphasized that “[t]he law importantly provides two layers of privacy protections. Companies are required to remove personal information before sharing cyber threat indicators and DHS is required to and has implemented its own process to conduct a privacy review of received information.”

What types of information would be shared?

A few examples are specifically listed. These include:

  • Web server log files showing repeated access attempts or tests from a particular IP address;
  • The discovery of a backdoor that allows unauthorized access;
  • A pattern of domain name lookups that indicate a malware infection;
  • Warnings about files that may have been exfiltrated from a company; and
  • Actions taken to mitigate any of these dangers.

So, should your company participate in this voluntary information sharing program?

Of course, that depends. When deciding whether to share information with the Government, consider all of the private information your company holds: the company’s IP and trade secrets; the information of your officers, directors, and employees; and personal and billing information for your customers and clients. Sharing any of this information across state, federal, and international borders requires an analysis of numerous laws and regulations, possibly even implicating the newly announced US-EU “Privacy Shield.”

In addition, while these new regulations require all shared data to be rendered anonymous, unintended disclosures happen. Among other things, such a disclosure could spark sanctions under a variety of state, federal, and international privacy laws prohibiting disclosure of protected information. And, of course, information shared with the Government is not necessarily secure—as demonstrated by the theft of 20 million federal employees’ records from the Government last year.

Perhaps most troubling, however, is that companies choosing not to participate in the program are not entitled to access its information. This will create a class of data “haves” and “have-nots,” solely based on a company’s decision to participate in the program. While access to real-time information about cyber threats would provide an obvious benefit, individual businesses will need to decide whether that access is worth the risk, including the risk of unintended disclosure. Any company that decides it is not worth the risk will be excluded from the cyber threat information. Understand, too, that a decision by a company not to participate in the program could be used against it in litigation, the media, or otherwise.

While the tension between privacy and security is fundamental, the cybersecurity battle is only just beginning. For companies now faced with the decision whether or not to participate in the just-announced DHS interim guidelines, this tension is currently at the forefront.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.