By Carl Anderson, VP at Van Scoyoc Associates.
The implementation of the Cybersecurity Information Sharing Act of 2015 (CISA) has been slow but we are finally beginning to see some progress.
Why Did We Need CISA?
Recent cyber incidents underscore the need for legislation to help businesses improve their awareness of cyber threats, protect customer information and enhance their detection and response capabilities in collaboration with government entities.
Since the signing of Presidential Decision Directive 63 in 1998, information relating to potential cyber threats has been shared through industry-specific Information Sharing and Analysis Centers (“ISACs”). For nearly two decades, despite the growth and importance of ISACs, there is a perceived limitation associated with information sharing — including potential civil liability, antitrust issues, and the protection of intellectual property and other proprietary business information — that has limited the effectiveness of ISACs and other information-sharing efforts.
On February 13, 2015, President Obama signed Executive Order 13691 “to encourage and promote sharing of cybersecurity threat information within the private sector and between the private sector and government.” The Order encouraged the development of Information Sharing and Analysis Organizations (“ISAOs”) and a common set of voluntary standards for ISAOs, including privacy protections. While ISAOs were established years ago, there has been a trend by the government away from the traditional ISAC model and it now encourages both ISACs and ISAOs.
However, there were no liability protections for sharing (sensitive corporate threat and/or breach data) either between the government and the public or for the public to share amongst themselves. CISA solved this. CISA allows voluntary real-time sharing of cyber threat indicators while ensuring robust privacy protections and providing liability protections.
What is CISA?
CISA became law in December 2015, after several years of efforts to improve information sharing. It formalizes the voluntary cyber threat information sharing procedures between the public and private sector and formalizes information sharing among the private sector as well. While many organizations were already sharing cyber threat indicators (CTIs) like HITRUST (an ISAO) or the Financial Services ISAC, there was a long road ahead to reach the market saturation level policymakers were hoping to achieve. CISA attempts to remove liability barriers to foster indicator sharing, collaboration and cooperation as cybersecurity threats continue to have a ripple effect through our national and economic security.
CISA formalizes the voluntary sharing of CTIs and defensive measures (“DMs”) with the public and private sectors. To encourage information sharing, CISA establishes several safe harbors (e.g., freedom of information, antitrust laws, and preserves valid privilege) from liability for private entities that share cyber threat indicators or defensive measures, provided sharing is conducted in a manner consistent with the means specified by DHS in its Guidance and CISA.
Despite these protections, companies are reluctant to participate in the voluntary information sharing outlined in the CISA. There are certain reasons for this, but first and foremost, companies want to see value. The uphill battle here is to show how this endeavor, which we all agree is worthy, actually protects systems. In many of the recent breaches, information sharing wouldn’t have protected the victim company. What it does protect is the next company and those engaged in the community of information sharing. In essence, companies currently engaged in information sharing are acting as a good corporate citizen in an effort to be leaders and kick-start the process.
Similarly, one reason companies (and their respective Boards) aren’t more eager to share information might be that they have an inherent distrust of government and regulations. DHS and the Administration still have a way to go to help the public better understand the information-sharing process and where liability protections begin and end. The real benchmark will be whether there is active participation from the private sector. I imagine this will only be driven by whether or not the government can demonstrate that this sharing can add value.
What Should Companies Consider?
The consideration for a company to participate in cybersecurity information sharing under CISA is complex.
Primarily, companies must evaluate the benefits and risks associated with participating in the information sharing process. For some companies, particularly those that consider their cyber security systems a competitive advantage, this decision will be governed by the circumstances of the threat or event. This information could be evidence of an actual incident but most likely will be illustrative of regular “traffic” on their systems. Companies should consult with legal counsel regarding the litigation risks posed by both sharing and receiving threat information even though there are liability protections contained in CISA.
Again, while CISA establishes a number of these safe harbors, information sharing must be conducted in accordance with CISA’s requirements. A company that decides to share information under CISA must make certain that it has appropriate procedures and systems in place. Those include restricting the sets of information shared, the circumstances in which information is shared, and the removal of personal information.
Information sharing likely involves coordination among a company’s legal, IT, security and compliance officers to ensure that the company complies with CISA to receive proper liability protection.
Done correctly, cyber threat sharing allows companies to take an active role in their own cyber threat detection and enables the larger cyber ecosystem that they are a part of to benefit.
Carl A. Anderson is a Vice President at Van Scoyoc Associates and is a policy expert on healthcare cybersecurity and information sharing.