Promoting Private Sector Cybersecurity Information Sharing Executive Order
Cyber adversaries move with continued and ever increasing speed and stealth. To keep pace, all organizations need to be able to share and respond to cyber risk as as close to real-time as possible.
Organizations engaged in cyber threat intelligence and coordinated response efforts play a critical role in the collective cyber resilience of the United States and beyond US borders. However, many organizations within and across sectors are challenged with having an effective and sustainable information sharing infrastructure – Information Sharing and Analysis Organizations (ISAOs).
To encourage the development and implementation of ISAOs, in February 2015, the President issued Executive Order 13691 directing the U.S. Department of Homeland Security (DHS) to encourage ISAO development.
The purpose of this order encouraged the voluntary formation of such organizations, to establish mechanisms to continually improve capabilities and functions to better allow these organizations to partner with the Federal Government on a voluntary basis and to support their Sector, Sub-Sector, or Community-of-Interest.
ISAOs may be organized on the basis of sector, sub-sector, region, or any other affinity, including in response to particular emerging threats or vulnerabilities. ISAO membership may be drawn from the public or private sector, or consist of a combination of public and private sector organizations.
The US DHS National Cybersecurity & Communications Integration Center (NCCIC) to engage in continuous, collaborative coordination and enter into voluntary agreements with ISAOs to promote cybersecurity and to support the sharing of information related to cyber risks and incidents.
Federal Agencies shall coordinate for privacy and civil liberties and ensure that appropriate protections are incorporated into such activities..
Cybersecurity Information Sharing Act of 2015
The Cybersecurity Information Sharing Act of 2015 (CISA) was signed into law in December 2015. The law has two main components:
Authorizes organizations to monitor and implement defensive measures
on their own information systems to counter cyber threats.
Provides certain protections to encourage organizations to voluntarily share information
about cyber threats (cyber threat indicators and defensive measures) with the federal
government, state and local governments, and other companies and private entities.
Cyber Threat Indicators – Information that is necessary to describe or identify malicious reconnaissance, defeat a security control or exploitation of a security vulnerability, a security vulnerability. method of causing a user with legitimate access to an information system unwittingly enable the defeat of a security control or vulnerability exploitation, malicious cyber command and control, the actual or potential harm caused by an incident, any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or any combination thereof.
Defensive Measure – Action, device, signature, tactics, techniques or procedures, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.
QUALIFYING FOR LIABILITY PROTECTIONS – INFORMATION SHARING & ANALYSIS ORGANIZATIONS (ISAOs)
To quality for these protections, information sharing must comply with CISA’s requirements, including removal of personal information. the US Department of Homeland Security and the US Department Of Justice issued a Guidance Document in June of 2016.
US Department of Homeland Security, US Department of Justice
Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures
with Federal Entities under the Cybersecurity Information Sharing Act of 2015
“Under Section 104(c) of the CISA Act, non-federal entities may also share cyber threat indicators and defensive measures with federal entities through Information Sharing and Analysis Organizations (ISAOs), which may share them with federal entities through DHS on their behalf.
In general, ISAOs are private entities. Under Section 106(b)(1) of the CISA Act, private entities that share a cyber threat indicator or defensive measure with an ISAO in accordance with the Act receive liability protection and other protections and exemptions for such sharing. Similarly, ISAOs that share information with other private entities in accordance with he Act also receive liability protection, as well as other protections and exemptions. Likewise, an ISAO that shares cyber threat indicators or defensive measures with the federal government in accordance with Section 104(c) through the DHS capability and process created under Section 105(c), or as otherwise consistent with Section 105(c)(1)(B), is also eligible for liability protection under Section 106(b)(2), in addition to CISA’s other protections and exemptions.”
“…any entity or collaboration created or employed by public or private sector organizations for the purposes of:
Gathering and analyzing critical cyber and related information in order to better understand security problems and interdependencies related to cyber systems, so as to ensure their availability, integrity and reliability;
Communicating or disclosing critical cyber and related information to help prevent, detect, mitigate or recover from the effects of an interference, compromise, or incapacitation problem related to cyber systems; and
Voluntarily disseminating critical cyber and related information to its Members, federal, state and local governments; or any entities that may be of assistance in carrying out the purposes specified above.”
…ISAO Standards Organization
EXECUTIVE ORDER PROMOTING INFORMATION SHARING
US DHS – Encourage the voluntary formation of ISAOs. support ISAO collaboration and coordination with the US DHS NCCIC. and ensure protection of information sharing privacy and civil liberties protections.
CYBERSECURITY INFORMATION SHARING ACT
Signed into law – December 18, 2015.
Monitor and Defend Information Systems
Protection from Liability for Monitoring
Share or Receive Cyber Threat Indicators of Defensive Measures
Removal of Personal Information Before Sharing
Protections for Sharing and Receiving Information
FEDERAL GUIDANCE (US DHS, US DOJ)
Information Shared Under CISA – Only Information Directly Related to a Cyber Threat (Indicator)
Removal – Any Information from a Cyber Threat Indicator that is “Personal Information”
Liability Protections – Provided Only when Sharing Through the DHS Process
ISAOs – Liability Protection Applies When Sharing with ISAOs via the ISAO and DHS Information Sharing Protocols