The US Department of Homeland Security (DHS) issued guidance this week to assist nonfederal entities to share cyber threat indicators and defensive measures with federal entities under the Cybersecurity Information Sharing Act of 2015 (CISA). CISA was passed as part of the Cybersecurity Act of 2015 and directs the Attorney General and the Secretary of DHS to develop guidance that promotes sharing cyber threat indicators with federal entities. CISA also helps nonfederal entities identify defensive measures and share them with federal entities and describes the protections that nonfederal entities receive for sharing, including targeted liability protection.
Highlights of the guidance for nonfederal entities under CISA include the following:
- Identifying information that qualifies as a cyber threat indicator but is likely to include personally identifiable information not directly related to a cybersecurity threat.
- Identifying information that is unlikely to be directly related to a cybersecurity threat but is protected under otherwise applicable privacy laws.
- Providing methods for sharing defensive measures.
- Allowing nonfederal entities to share cyber threat indicators and defensive measures with any other entity—private, federal, state, local, territorial, or tribal—for a “cybersecurity purpose.”
- “Cyber threat indicator” means information that is necessary to describe or identify
- malicious reconnaissance or anomalous patterns of communications for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;
- a method of defeating a security control or exploitation of a security vulnerability (or causing a user with legitimate access to do so) ;
- a security vulnerability;
- malicious cyber command and control;
- the actual or potential harm caused, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
- any other attribute of a cybersecurity threat, if such disclosure is not otherwise prohibited by law; and
- any combination of the above.
- “Defensive measure” means
- an action, device, procedure, signature, technique, or other measure applied to an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability, and
- the term does not include a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system not owned by the private entity operating the measure (or another entity that has given consent).
- “Cybersecurity purpose” means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.
- Allowing for the sharing of such information, “notwithstanding any other provision of law.” Nonfederal entities are required to remove any information from a cyber threat indicator or defensive measure known at the time of sharing to be personal identifiable information not directly related to a cybersecurity threat before sharing it with a federal entity. Such review may be conducted through either a manual or technical process.
- Providing for the sharing of cyber threat indicators and defensive measures with the federal government, which requires the Secretary of DHS to develop a capability and process within DHS to accept cyber threat indicators and defensive measures in real time from any nonfederal entity, including private entities. DHS will in turn relay that information to federal entities in an automated manner, consistent with the operational and privacy and civil liberties policies including through submission via: Automated Indicator Sharing (AIS), web form, email, and Information Sharing and Analysis Centers or Information Sharing and Analysis Organizations.
- Providing for the following protections in addition to liability protection:
- Antitrust exemption
- Exemption from federal and state disclosure laws
- Exemption from certain state and federal regulatory uses
- No waiver of privilege for shared material
- Treatment of commercial, financial, and proprietary information (to offer protection from the expected further sharing)
- Ex parte communications waiver (the sharing shall not be subject to the rules of any federal agency, department, or judicial doctrine regarding ex parte communications with a decisionmaking official)
Guidance was also released for Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government, Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government, and Privacy and Civil Liberties Interim Guidelines.