internet of things

Homeland Security Releases Cybersecurity Information Sharing Act Guidelines

Advertisement

The US Department of Homeland Security (DHS) issued guidance this week to assist nonfederal entities to share cyber threat indicators and defensive measures with federal entities under the Cybersecurity Information Sharing Act of 2015 (CISA). CISA was passed as part of the Cybersecurity Act of 2015 and directs the Attorney General and the Secretary of DHS to develop guidance that promotes sharing cyber threat indicators with federal entities. CISA also helps nonfederal entities identify defensive measures and share them with federal entities and describes the protections that nonfederal entities receive for sharing, including targeted liability protection.

Highlights of the guidance for nonfederal entities under CISA include the following:

Advertisement
  • Identifying information that qualifies as a cyber threat indicator but is likely to include personally identifiable information not directly related to a cybersecurity threat.

  • Identifying information that is unlikely to be directly related to a cybersecurity threat but is protected under otherwise applicable privacy laws.

    Advertisement
  • Providing methods for sharing defensive measures.

    Advertisement
  • Allowing nonfederal entities to share cyber threat indicators and defensive measures with any other entity—private, federal, state, local, territorial, or tribal—for a “cybersecurity purpose.”

    • “Cyber threat indicator” means information that is necessary to describe or identify

      • malicious reconnaissance or anomalous patterns of communications for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;

        Advertisement
      • a method of defeating a security control or exploitation of a security vulnerability (or causing a user with legitimate access to do so) ;

      • a security vulnerability;

        Advertisement
      •  malicious cyber command and control;

      • the actual or potential harm caused, including a description of the information exfiltrated as a result of a particular cybersecurity threat;

        Advertisement
      • any other attribute of a cybersecurity threat, if such disclosure is not otherwise prohibited by law; and

      • any combination of the above.

    • “Defensive measure” means

      Advertisement
      • an action, device, procedure, signature, technique, or other measure applied to an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability, and

        Advertisement
      • the term does not include a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system not owned by the private entity operating the measure (or another entity that has given consent).

    • “Cybersecurity purpose” means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.

  • Allowing for the sharing of such information, “notwithstanding any other provision of law.” Nonfederal entities are required to remove any information from a cyber threat indicator or defensive measure known at the time of sharing to be personal identifiable information not directly related to a cybersecurity threat before sharing it with a federal entity. Such review may be conducted through either a manual or technical process.

  • Providing for the sharing of cyber threat indicators and defensive measures with the federal government, which requires the Secretary of DHS to develop a capability and process within DHS to accept cyber threat indicators and defensive measures in real time from any nonfederal entity, including private entities. DHS will in turn relay that information to federal entities in an automated manner, consistent with the operational and privacy and civil liberties policies including through submission via: Automated Indicator Sharing (AIS), web form, email, and Information Sharing and Analysis Centers or Information Sharing and Analysis Organizations.

    Advertisement
    Advertisement
  • Providing for the following protections in addition to liability protection:

    • Antitrust exemption

    • Exemption from federal and state disclosure laws

    • Exemption from certain state and federal regulatory uses

      Advertisement
    • No waiver of privilege for shared material

      Advertisement
    • Treatment of commercial, financial, and proprietary information (to offer protection from the expected further sharing)

    • Ex parte communications waiver (the sharing shall not be subject to the rules of any federal agency, department, or judicial doctrine regarding ex parte communications with a decision making official)

Guidance was also released for Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government, Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government, and Privacy and Civil Liberties Interim Guidelines.

Advertisement
Copyright © 2016 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.