Information Sharing Protections Overview

Promoting Private Sector Cybersecurity Information Sharing Executive Order

Cyber adversaries move with continued and ever increasing speed and stealth.  To keep pace, all organizations need to be able to share and respond to cyber risk as as close to real-time as possible.  

Organizations engaged in cyber threat intelligence and coordinated response efforts play a critical role in the collective cyber resilience of the United States and beyond US borders.  However, many organizations within and across sectors are challenged with having an effective and sustainable information sharing infrastructure – Information Sharing and Analysis Organizations (ISAOs). 

To encourage the development and implementation of ISAOs, in February 2015, the President issued Executive Order 13691 directing the U.S. Department of Homeland Security (DHS) to encourage ISAO development.

The purpose of this order encouraged the voluntary formation of such organizations, to establish mechanisms to continually improve capabilities and functions to better allow these organizations to partner with the Federal Government on a voluntary basis and to support their Sector, Sub-Sector, or Community-of-Interest.

ISAOs may be organized on the basis of sector, sub-sector, region, or any other affinity, including in response to particular emerging threats or vulnerabilities.  ISAO membership may be drawn from the public or private sector, or consist of a combination of public and private sector organizations.

The US DHS National Cybersecurity & Communications Integration Center (NCCIC) to engage in continuous, collaborative coordination and enter into voluntary agreements with ISAOs to promote cybersecurity and to support the sharing of information related to cyber risks and incidents.

Federal Agencies shall coordinate for privacy and civil liberties and ensure that appropriate protections are incorporated into such activities..  

Cybersecurity Information Sharing Act of 2015

The Cybersecurity Information Sharing Act of 2015 (CISA) was signed into law in December 2015.  The law has two main components:

Authorizes organizations to monitor and implement defensive measures
on their own information systems to counter cyber threats.

Provides certain protections to encourage organizations to voluntarily share information
about cyber threats (cyber threat indicators and defensive measures) with the federal
government, state and local governments, and other companies and private entities.

Cyber Threat Indicators – Information that is necessary to describe or identify malicious reconnaissance, defeat a security control or exploitation of a security vulnerability, a security vulnerability. method of causing a user with legitimate access to an information system unwittingly enable the defeat of a security control or vulnerability exploitation, malicious cyber command and control, the actual or potential harm caused by an incident, any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or any combination thereof.

Defensive Measure – Action, device, signature, tactics, techniques or procedures, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.

QUALIFYING FOR LIABILITY PROTECTIONS – INFORMATION SHARING & ANALYSIS ORGANIZATIONS (ISAOs)

To quality for these protections, information sharing must comply with CISA’s requirements, including removal of personal information. the US Department of Homeland Security and the US Department Of Justice issued a Guidance Document in June of 2016.

US Department of Homeland Security, US Department of Justice

Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures
with Federal Entities under the Cybersecurity Information Sharing Act of 2015

“Under Section 104(c) of the CISA Act, non-federal entities may also share cyber threat indicators and defensive measures with federal entities through Information Sharing and Analysis Organizations (ISAOs), which may share them with federal entities through DHS on their behalf.

In general, ISAOs are private entities.  Under Section 106(b)(1) of the CISA Act, private entities that share a cyber threat indicator or defensive measure with an ISAO in accordance with the Act receive liability protection and other protections and exemptions for such sharing.  Similarly, ISAOs that share information with other private entities in accordance with he Act also receive liability protection, as well as other protections and exemptions.  Likewise, an ISAO that shares cyber threat indicators or defensive measures with the federal government in accordance with Section 104(c) through the DHS capability and process created under Section 105(c), or as otherwise consistent with Section 105(c)(1)(B), is also eligible for liability protection under Section 106(b)(2), in addition to CISA’s other protections and exemptions.”

Click To Access CISA 

Click to Access US DHS and US DOJ CISA – Guidance to Assist Non-Federal Entities to Share
Cyber Threat Indicators and Defensive Measures

Click to Access US DHS and US DOJ CISA – Privacy and Civil Liberties Final Guidance

ISAO DEFINITION

“…any entity or collaboration created or employed by public or private sector organizations for the purposes of:

Gathering and analyzing critical cyber and related information in order to better understand security problems and interdependencies related to cyber systems, so as to ensure their availability, integrity and reliability;

Communicating or disclosing critical cyber and related information to help prevent, detect, mitigate or recover from the effects of an interference, compromise, or incapacitation problem related to cyber systems; and

Voluntarily disseminating critical cyber and related information to its Members, federal, state and local governments; or any entities that may be of assistance in carrying out the purposes specified above.”

…ISAO Standards Organization

EXECUTIVE ORDER PROMOTING INFORMATION SHARING

US DHS – Encourage the voluntary formation of ISAOs. support ISAO collaboration and coordination with the US DHS NCCIC. and ensure protection of information sharing privacy and civil liberties protections.

CYBERSECURITY INFORMATION SHARING ACT

Signed into law – December 18, 2015.

KEY PROVISIONS

Monitor and Defend Information Systems

Protection from Liability for Monitoring

Share or Receive Cyber Threat Indicators of Defensive Measures

Removal of Personal Information Before Sharing

Protections for Sharing and Receiving Information

FEDERAL GUIDANCE (US DHS, US DOJ)

Information Shared Under CISA – Only Information Directly Related to a Cyber Threat (Indicator)

Removal – Any Information from a Cyber Threat Indicator that is “Personal Information”

Liability Protections – Provided Only when Sharing Through the DHS Process

ISAOs – Liability Protection Applies When Sharing with ISAOs via the ISAO and DHS Information Sharing Protocols