on March 29, 2016
On February
16, 2016, Secretary of Homeland Security Jeh Johnson announced interim
guidelines and procedures for sharing cyber threat indicators under the
Cybersecurity Information Sharing Act of 2015 (“CISA”). Because the guidelines
are voluntary, the next question is, shouldyour
company share information with the Government?
With these interim guidelines
and procedures, the Government seeks to limit the impact to companies and
individuals from sharing information on “cyber threat indicators.” Note that a
“cyber threat indicator” includes “information that is necessary to describe or
identify” cyber threats, as well as methods to trick legitimate users into
providing their credentials unwittingly, “[m]alicious reconnaissance,” and
“method[s] of defeating a security control or exploitation of a security
vulnerability” (otherwise known as malware, backdoors, and insider threats).
As part of this effort to
protect privacy, DHS’s Computer Emergency Readiness Team (“US-Cert”) released
the Automated Indicator Sharing (“AIS”) initiative to automate the process of
real-time information sharing about cyber threats and cyber threat indicators
with the private sector and between federal agencies, while simultaneously
protecting any protected information that may have been compromised. The
guidelines also (i) provide “targeted liability protection for sharing cyber
threat indicators” with AIS, and (ii) seek to “encourage companies to work with
DHS to set up the technical infrastructure needed to share and receive cyber
threat indicators in real-time.”
AIS is
designed to remove all Personally Identifiable Information not directly related
to the cyber threat before sharing any information. In addition, AIS procedures
render the source of the information
anonymous before that information is shared (unless the source has agreed to be
named). AIS scrubs the indicators for information that would be protected under
privacy laws, sharing only “information that is directly related to and
necessary to identify or describe a cybersecurity threat.”
Secretary Johnson emphasized
that “[t]he law importantly provides two layers of privacy protections.
Companies are required to remove personal information before sharing cyber
threat indicators and DHS is required to and has implemented its own process to
conduct a privacy review of received information.”
What types of information
would be shared?
A few examples are
specifically listed. These
include:
·
Web server log files showing
repeated access attempts or tests from a particular IP address;
·
The discovery of a backdoor
that allows unauthorized access;
·
A pattern of domain name
lookups that indicate a malware infection;
·
Warnings about files that may
have been exfiltrated from a company; and
·
Actions taken to mitigate any
of these dangers.
So, should your company
participate in this voluntary information sharing program?
Of course,
that depends. When deciding whether to share information with the Government,
consider all of the private information your company holds: the company’s IP
and trade secrets; the information of your officers, directors, and employees;
and personal and billing information for your customers and clients. Sharing
any of this information across state, federal, and international borders
requires an analysis of numerous laws and regulations, possibly even
implicating the newly announced US-EU “Privacy Shield.”
In addition, while these new
regulations require all shared data to be rendered anonymous, unintended
disclosures happen. Among other things, such a disclosure could spark sanctions
under a variety of state, federal, and international privacy laws prohibiting
disclosure of protected information. And, of course, information shared with
the Government is not necessarily secure—as demonstrated by the theft of 20
million federal employees’ records from the Government last year.
Perhaps most
troubling, however, is that companies choosing not to participate in the
program are not entitled to access its information. This will create a class of
data “haves” and “have-nots,” solely based on a company’s decision to
participate in the program. While access to real-time information about cyber
threats would provide an obvious benefit, individual businesses will need to
decide whether that access is worth the risk, including the risk of unintended
disclosure. Any company that decides it is not worth the risk will be excluded
from the cyber threat information. Understand, too, that a decision by a
company not to participate in the program could be used
against it in litigation, the media, or otherwise.
While the tension between
privacy and security is fundamental, the cybersecurity battle is only just
beginning. For companies now faced with the decision whether or not to
participate in the just-announced DHS interim guidelines, this tension is
currently at the forefront.
No comments:
Post a Comment