Cyber-crimes, such as data breaches and cyber-attacks, have posed a constant threat to the United States Government and its citizens in the post-Snowden era. A study suggests that in 2015 a total of 58 cyber-attacks occurred on US companies, which marked a significant increase from the previous year. The average cost per attack has also risen with each attack as well as the number of users whose privacy is rendered vulnerable and exposed. The most notable cyber attacks involving financial information have been directed at T-Mobile, Anthem, Sony and Home Depot.
As the National Security Agency (NSA) attempts to neutralize cyber attacks, the Republican-controlled Congress has been debating five bills designed to alert the Government of cyber threats. Cybersecurity Information Sharing Act (CISA) is one of the bills, signed into law by President Obama on December 18, 2015 as part of the Consolidated Appropriations Act, 2016. CISA has been touted as the single most effective instrument in tackling and enhancing cybersecurity. However, some critics see it more as an attempt to gain access to big data or metadata that tech companies possess, thereby creating a sophisticated tool for high-tech cyber-surveillance.
There are four Titles under CISA, which deal with the (1) scope of sharing cybersecurity information; (2) improving federal network security; (3) workforce management; and (4) other cyberspace policy related matters. The contentious portions are encapsulated within the first Title, which specifically address information sharing between private entities and the Government.
Title I, Section 103, of CISA requires the Director of National Intelligence, Secretary, Homeland Security, Secretary of Defense and the Attorney General (collectively referred to as “Law Enforcement”) to (1) consult with the heads of the appropriate Federal Agencies and to (2) jointly develop effective procedures to (a) facilitate voluntary exchange of classified and non-classified cyber threat indicators (CTI) and (b) develop defensive measures (DMs) to combat cybercrimes within 60 days [§103(c)]. The term CTI has been defined in the Act as information related to a cybersecurity threat or security vulnerability. The term DM , on the other hand, refers to an action, device or procedure stored on an information system that detects, prevents or mitigates a known cybersecurity threat or security vulnerability.
Section 103 also requires Law Enforcement to release guidelines that more fully elaborate on the Section’s requirements. Accordingly on February 16, 2016, Law Enforcement released a “Policy-Paper,” which elaborates on what qualifies as CTI and DMs, related intricacies about procedures, and safeguards pertaining to information sharing. This Policy Paper was prepared in consultation with several Federal Agencies including the Department of Commerce, the Department of Energy, Treasury and The National Laboratories.
Policy-Paper for Federal Entities
Through this Policy-Paper, summarized below, Law Enforcement has delineated preexisting programs and procedures that meet the key agendas prescribes under Section 103(a) of the Act.
- Timely sharing of CTIs in possession of Federal Government with cleared representatives of relevant entities.
The Law Enforcement points to a few measures that serve this purpose. The Enhanced Cybersecurity Services (ECS) program of the Department of Homeland Security (DHS) is a platform through which DHS collects CTIs from cybersecurity organizations of the Federal Government. DHS then shares the information with commercial service providers, thus enabling them to better protect their customers. Other such programs include the National Cyber Investigative Joint Task Force (NCIJTF) of the President, and the Defense Industrial Base (DIB) & Cybersecurity (CS) program of the Department of Defense (DoD).
- Sharing pertinent declassified Information related to cyber attack
FBI’s Private Industry Notifications (PIN) and FBI Liaison Alert System (FLASH) programs convey industry-specific details about current or emerging cyber threats along with technical information of use to the recipient to identify the threat. Additionally, Department of Energy’s Program called Cybersecurity Risk Information Sharing Program (CRISP) enables a public-private sector partnership to share information.
- Circulation of unclassified Cyber Intelligence in a timely and periodic manner
CTI and DMs that are broadly available to federal and non-federal entities must be shared as fast as practicable. The Policy-Paper points to DHS’s Automated Indicator Sharing Initiative (AIS) and Cyber Information Sharing and Collaboration Program (CISCP), amongst others, as tools. These programs facilitate the exchange of unclassified CTIs and DMs with the private sector, pursuant to the real-time process described under §105(c) of the Act. Sections 103(a)(4) and (5) require the consistent information sharing in the form of reports, publication and statistical analysis to flow out from Law Enforcement in the cyber space.
Guidance-Paper for Non-Federal Entities
On February 16, 2016, the Department of Justice and DHS jointly released a Guidance Paper, summarized below. Pursuant to Sections 104 and 105 of CISA, this Guidance-Paper provides information that will assist Non-Federal Entities, who elect to share CTIs and identify DMs with the Federal government, to do so in accordance with CISA.
- Information Exchange and Monitoring Information Systems by Non-Federal Entities
Sections 104 and 105 delineate the responsibilities and the nature of exchange of CTI amongst private entities. The only limitation applicable to this exchange is that it must be strictly cyber attack related as the same qualifies as a lawful construction in the Act [Section 104(c)(2))]. It permits private entities to monitor information systems of other private entities and Federal Agencies that are either directly or indirectly relevant. In order to prevent activities that breach privacy of an individual or any other civil liberties, it mandates that such entities ensure that the exchange is secure and does not include personal information data.
- Exemptions and Protections for Sharing Information
CISA provides for voluntary sharing of information such as CTI and DMs. Section 104 provides an exemption from antitrust liability for private companies that share information in order to eliminate threats to cybersecurity – not to conspire to collude in the market. Apart from an antitrust exemption, Section 106 permits private entities to monitor information systems of federal and non-federal entities and also share CTI and DMs if the same is consistent with the procedures established by the Policy-Paper or the Guidance-Paper, for the purposes of security. The information shared under CISA shall not be used to regulate a private entity’s activities, per Section 105(d)(5)(D). The Non-Federal Guidance Paper notes that companies may share information under CISA with Information Sharing and Analysis Centers (ISACs) or Information Sharing and Analysis Organizations (ISAOs), which will in turn share information with federal agencies through DHS.
Many view CISA as an attempt to streamline the channel of CTI and DM exchange between federal agencies; between federal and non-federal agencies; and between non-federal agencies. Now that the legislation is complete with supplemental guidance from Law Enforcement, it is evident that the intent and purpose is to incentivize all entities to share information and jointly develop defense measures voluntarily, without the fear of liability.
On the flipside, some worry that the privacy of individuals will be diminished under the garb of cybersecurity or national security. The legislation grants immunity from violating privacy laws if personal user data is made accessible to the Government. Several tech companies including Apple have expressed their objections against the law several times and in different forums. The Electronic Frontier Foundation (EFF) has raised strong concerns against the very nature of the law. One objection is that the legislation does not address many of the factors that have actually led to cyber attacks, such as malware links, unencrypted files, and poor computer architecture. Furthermore, EFF complains that CISA establishes broad and vague procedures for intelligence sharing.
The baffling debate between user privacy and national cyber security seems to have been mitigated in this new legislation by allowing a clear and open process of data sharing. But the costs of cybersecurity include rendering personal information of civilians vulnerable to the hands of federal agencies and other private entities. Even if cyber security ultimately protects the user, is it right to undermine the civilian data for an arguably good cause? Is CISA another needle in the cyber-haystack, steadily increasing government supervision over its citizens? The coming years will be interesting, as it will reveal the direction in which the legislation is headed.