The Cybersecurity Act of 2015 Series: Information Sharing and Related Guidelines

Posted by Shivan MehtaThis post is the beginning of a series of entries that will focus on the Cybersecurity Act of 2015 and its progress (click here for the Cybersecurity Act of 2015) .  This particular post provides highlights of Title I of the Act—Cybersecurity Information Sharing Act of 2015 (CISA)─and the guidelines employed by the Department of Homeland Security (DHS).The Cybersecurity Act of 2015 was officially signed into law on December 18, 2015.  CISA specifically focuses on the sharing of cybersecurity information among federal agencies and private entities.  The following are the overarching principles and goals of CISA:parties are not required to share information;parties desiring to share information do so by sending the information to DHS, which in turn will share the information with the Department of Defense, National Security Agency, state and governmental agencies, and other participating private entities;the law suggests that cyber threat indicators and defensive measures be shared in real time or as quickly as operationally practicable;before sharing any information, both federal agencies and private entities will be required to remove any personal information that is known at the time of sharing to be included in the data and not directly related to a cybersecurity threat; andprivate entities will receive “safe harbors” for sharing information, including no civil or antitrust liability, limitations on regulatory liability, and no waiver of privilege (though privilege protection is only offered if private entities use the DHS processes to transfer information).In an attempt to mitigate certain concerns regarding the vast amount of data shared among federal agencies and private entities, the DHS released guidelines and interim procedures for information sharing on February 16, 2016. (click here) These guidelines provide a helpful framework for federal agencies and private entities that will participate in the cyber program.  Particularly, various examples of types of information that may contain cyber threat indicators are provided, such as web server log files, source code, unexecuted malware, etc.  Further, the guidelines list out types of personal information that should be removed before sharing threat information with the DHS (e.g. names, email addresses, health and financial information, etc.). Entities that choose to participate in this program will have access to threat information shared by others.  With this information, participants should be able to mitigate cyber threats more effectively.Please watch for the next related blog post that will focus on Title II of the Act, specifically, details about the DHS information sharing platform and how private entities can share and receive cyber threat information.