Today, both government agencies and private sector organizations are working to build more resilient security solutions and strategies to limit the risk of cyber-attacks and data breaches. As many are well aware, increasingly sophisticated cyber threats pose an incredible risk to national security in the act of exploiting sensitive classified information. To combat this risk, the United States government, backed by the Congress House and Senate, have taken swift measures in putting legislation into law with the aim to provide government agencies and non-government agencies more effective channels of information and communications allowing for the sharing of cyber threat indicators and cyber-threat tactics.
What Is The Cybersecurity Information Sharing Act?
The Cybersecurity Information Sharing Act or CISA is a United States federal law enacted by Congress to advance cybersecurity policies in the United States by allowing government agencies and non-government entities to share information regarding cyberattacks. Through enabling new channels of communication, this law has created more open communication around cybersecurity threats and associated cyber threat indicators allowing the Federal Government and private sector companies to act more strategically in minimizing the risk of new attacks.
Benefits of the Cybersecurity Information Sharing Act of 2015
One of the major benefits of the Cybersecurity Information Share Act of 2015 or CISA is that federal agency and non-federal entities can share cyber threat information, security vulnerabilities, and data breaches without the worry of liability or consequences. This law allowed for government entities such as the Department of Homeland Security or DHS to build communication channels with the Department of Justice or DOJ and other private entities without the worry or legal fallout. Under the protection of CISA, organizations in the private sector and government agencies gain liability protection and protection from non-waiver of privilege and FOIA disclosures. Counterintuitively, by providing this protection and supporting the dissemination of such sensitive data, entities can actually build more strategic defensive measures for future attacks, making them more protected.
Opponents doubt the value of CISA, arguing it would shift responsibility from private companies to the government, enhancing the vulnerability of private information and dispersing it across seven government departments, including the National Security Agency and local police.
Principles of CISA
The CISA enacted by Congress and signed into law by Barack Obama in 2015 provides several enhancements to the protection of entities in sharing information related to cybersecurity threats. In the following section, we have outlined some of the more significant provisions of this law, and address how this protection influences the dissemination of information for security purposes.
Sharing of Sensitive Information Between Government and Private Sector Entities
One of the most impactful aspects of CISA is the authorization to share unclassified information relating to cyber threats. By sharing such information with the appropriate federal entities and fostering this collaboration and communication, the US Government has seen a significant decline in the associated cyber threats. This ability to loosen security control and share cyber threat indicators has been one of the major contributing factors in this downward trend in government cyber attacks.
Protection and Immunity
This ability to share information between government entities and private sector organizations is founded on protection and immunity. Previously to the CISA, if organizations disseminated information that they had sustained a major cyberattack, they could be found liable as it can create economic harm and put the United States’ national security at risk. For this reason alone, organizations tended to not be very forthcoming with any information related to cyber threats that could jeopardize their organization. This protection of CISA incentivizes organizations to speak openly about cyber threats and in doing so elevates the collaboration and deeper understanding of cutting-edge cyberattack tactics.
One of the principal tenets of the CISA is the protection of personally identifiable information to be protected when sharing this information amongst government agencies or private sector organizations. The intention with this component of CISA is to protect the privacy laws and civil liberties of the individuals whose data was involved in a cyber threat. Without adding this clause, this shared information could inadvertently additionally expose the sensitive information of individuals when sharing breach data amongst various organizations.
In terms of privacy, the bill contains provisions to prohibit the sharing of personal data that is unrelated to cybersecurity from being shared. Any personally identifiable information that is not removed during the sharing process can be used in a number of ways. These common cyber threat indicators can be used to investigate cybercrimes, but they can also be used as evidence in physical force offenses.
Per the Antitrust clause of CISA, it is not a breach or antitrust violation for federal or state organizations to share information and cyber threat indicators as a measure to prevent, investigate or mitigate threats. This layer of protection ensures that organizations are protected while sharing sensitive information, so long as it is intended to prevent, investigate, or mitigate cyber attacks.
Automated Information Sharing (AIS)
The Automated Information Sharing system, AIS, allows for the real-time exchange of machine-readable cyber threat signals and preventive measures to help protect AIS community members and, in turn, decrease the frequency of cyberattacks.
What agencies are a part of AIS?
Private sector associations
Federal departments and agencies
State, municipal, tribal, and territorial (SLTT) ministries
Information sharing and analysis centers (ISACs)
Information sharing and analysis organizations (ISAOs)
Overseas partners and firms
AIS is a service provided free of charge to participants as part of CISA’s mission to collaborate with public and private sector partners to detect and reduce cyber threats by sharing knowledge and technical assistance for cybersecurity purposes.
Since the program’s inception in 2016, CISA has expanded the number of Automated Information Sharing (AIS) participants as well as the volume of cyber threat indicators it shares. On the other hand, CISA has made only modest progress in increasing the overall quality of information it shares with AIS participants in order to efficiently eliminate cyber threats and defend against attacks. A small number of AIS attendees sharing cyber indicators with CISA, delays in obtaining cyber threat intelligence requirements, and a lack of CISA office personnel all add to CISA’s lack of progress in increasing the quality of information it shares.
Eleven of seventeen participants (five from the federal government and six from the private sector) said the threat indicators provided by AIS lacked contextual/background data for determining the appropriate course of action to mitigate threats against their networks. Furthermore, some participants claimed that some of the indicators they received were false positives or useless data. Some say that the restricted number of participants sharing threat data with CISA makes threat data less useful than it could be otherwise.
Vulnerability Disclosure Platform (VDP)
The Vulnerability Disclosure Policy (VDP) Platform from CISA would give agencies the option of using a centrally-managed system to collect vulnerability information from the public and work with them to increase the security of their internet-accessible systems. CISA’s Platform aims to facilitate good-faith security studies, resulting in greater security and organized disclosure across the federal civilian enterprise.
The platform is expected to be a software-as-a-service application that allows individuals to report issues with participating agencies’ internet-accessible systems via a single point of entry. The departments in charge of the affected systems, not CISA or the VDP Platform service provider, will be responsible for the abatement of detected vulnerabilities on federal information systems.
In October 2020, CISA announced consulting firm EnDyna, Inc. was awarded a $13.5 million contract to support its government-wide vulnerability disclosure policy platform (VDP) service for entities looking to collaborate with researchers to discover security vulnerabilities.