Yesterday, the Department of Homeland Security (“DHS”) and Department of Justice released final guidance as required by Title I of the Cybersecurity Act of 2015 (“CISA”), which was enacted into law this past December. The guidance was prepared in consultation with several additional federal agencies, and includes four separate documents. We summarize each of the guidance documents below.
The first document (“sharing guidance”) provides guidance for non-federal entities (including state governments) that elect to share cybersecurity information with the federal government under CISA. It summarizes the sharing authorized by CISA as follows: “Effectively, the only information that can be shared under the Act is information that is directly related to and necessary to identify or describe a cybersecurity threat.” But it also notes that “otherwise conflicting laws, including privacy laws, do not restrict sharing or any other action undertaken pursuant to CISA,” consistent with the language of Section 104(c) of CISA, which permits such sharing “notwithstanding any other provision of law.”
The primary purpose of the sharing guidance is to (1) identify the type of information—“cybersecurity threat indicators” and “defensive measures”—that can be shared under CISA; and (2) the types of personal information that should generally be removed before sharing. With respect to the latter, CISA requires the removal of information in cyber threat indicators that the private entity “knows at the time of sharing” to be personal information that is not directly related to a cybersecurity threat. According to the sharing guidance, the types of information that generally will not relate to cybersecurity threats include personal health, human resource, financial, educational, and children’s information.
The sharing guidance also provides examples of cyber threat indicators and defensive measures as those terms are defined by CISA. The guidance document identifies cybersecurity threat information broadly by describing what is not included: “Information is not directly related to a cybersecurity threat if it is not necessary to detect, prevent, or mitigate the cybersecurity threat.” Nor do such indicators need to be specific to a particular type of attack: for example, cybersecurity threat indicators can include, for example, patterns of suspicious behavior or new software vulnerabilities or techniques to gain unauthorized access. The guidance also explains that while personal information about the sender of a phishing email, a malicious URL or malware files attached to the email, and the content of the email likely constitute cyber threat indicators, the name and email address of the targets of the email would be personal information not directly related to a cybersecurity threat “and therefore should not typically be included as part of the cyber threat indicator.”
The sharing guidance notes that defensive measures “could be something as simple as a security device that protects or limits access to a company’s computer infrastructure or as complex as using sophisticated software tools to detect and protect against anomalous and unauthorized activities on a company’s information system.” Such measures include, for example, a firewall rule for blocking incoming malicious activity, a malware signature, or an algorithm that detects malicious activity.
Finally, the sharing guidance describes the process by which non-federal entities can share cyber threat indicators and defensive measures through the real-time DHS portal (which was certified as operational on March 17, 2016) via (1) automated indicator sharing; (2) web form; (3) email to DHS; and (4) information sharing and analysis organizations and centers. Sharing with the federal government outside the DHS portal is permitted, but is not subject to the liability protections under Section 106 of CISA (although it may be subject to several additional CISA protections, such as exemptions from state and federal disclosure laws and regulatory uses). Importantly, the guidance confirms that CISA “does not limit or modify any existing information sharing or reporting relationship, prohibit an existing or require a new information sharing relationship, or mandate the use of the capability and process within DHS.” The guidance concludes with an annex addressing sharing between private entities—as opposed to sharing with the federal government—and notes that private sharing under CISA is subject to many of the same requirements and protections as sharing with the government.
The second document establishes “privacy and civil liberties guidelines governing the receipt, retention, use, and dissemination” of cyber threat indicators and defensive measures by the federal government. As required by CISA, the document incorporates the Fair Information Practices Principles and provides guidance regarding (1) notification to individuals of receipt of information in violation of the Act or other federal laws; (2) the use, dissemination, retention, and timely destruction of information received by the federal government under the Act; and (3) periodic audit requirements. Interestingly, while the statutory language refers to the removal of information that the sharing entity “knows at the time of sharing” to be personal information, this guidance appears to adopt a slightly lower standard with respect to the federal government, stating that this element is met if the federal entity “has reason to know” that information is personal information.
The third document, which was released in final form on February 16, describes procedures through which information is shared by the federal government to participating non-federal entities. The guidance describes a series of sharing mechanisms, though it notes that these are “a non-exhaustive set of examples” that “are dynamic and are expected to grow or evolve over time.” The mechanisms include the DHS National Cybersecurity and Communications Integration Center, Department of Defense Industrial Base Cybersecurity Program, and the Department of Energy Cybersecurity Risk Information Sharing Program, among others. It encourages federal entities to share cyber threat indicators and defensive measures “as broadly and as quickly as possible.” Finally, the document describes mechanisms for the federal government to periodically share cybersecurity best practices with non-federal entities.
The fourth document describes procedures for the receipt of cyber threat indicators and defensive measures by the federal government. The DHS capability to receive such information will use the Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) specifications. The guidance details a series of automated filtering and analysis steps that will occur upon receipt of the information by DHS, followed by human review in certain circumstances and dissemination to other appropriate federal entities.