January 28, 2023

Volume XIII, Number 28

Advertisement

January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis
Advertisement

Cyber Threat Information Sharing Guidelines Released by DHS

This week, the Federal government took the first steps toward implementation of the The Cybersecurity Information Sharing Act (CISA), enacted into law last December.  CISA aims to encourage sharing of cyber threat indicators and defensive measures among private companies and between the private sector and the Federal government by providing liability protection for sharing such information in accordance with the Act.   The DHS Federal Register notice was published this morning here.

As required by the Act, the government has released four pieces of guidance designed to assist companies and Federal agencies with respect to sharing, receiving and handling cyber threat information.

  • For non-Federal (mostly private sector) entities:  DHS and DOJ jointly released guidance to private companies and other non-Federal entities designed to promote sharing of cyber threat indicators and defensive measures from companies to the Federal government.  This includes guidance regarding instances in which personal information would (or would not) be necessary to describe a cyber threat, as well as categories of information likely to be considered individually identifiable information unrelated to a cybersecurity threat.  The document also sets forth the sharing mechanisms that private companies should use in order to obtain liability protection for providing cyber threat indicators and defensive measures to the Federal government.

  • For Federal entities:  The Director of National Intelligence, along with the Department of Homeland Security (DHS), the Secretary of Defense, and the Department of Justice (DOJ) released guidance outlining procedures for the sharing of classified and unclassified cyber threat indicators and defensive measures possessed by the Federal government with private companies and other levels of government.  The release stressed that existing sharing mechanisms and programs are “dynamic and are expected to grow or evolve over time,” and that some programs “may be discontinued” and replaced by new mechanisms.

  • Interim procedures:  DHS and DOJ also set forth interim procedures related to the receipt of cyber threat indicators and defensive measures by the Federal government.   This document sets forth the processes for Federal agency receipt, handling and dissemination of cyber threat indicators and defensive measures, including via the operation of the DHS Automated Indicator Sharing capability also established under the Act.

  • Privacy and civil liberties interim guidelines:  DHS and DOJ also released interim privacy and civil liberties guidelines governing the receipt, retention, use and dissemination of cyber threat indicators by a Federal agency.  The guidance is designed to apply Fair Information Practice Principles (FIPPs) to Federal agency receipt, use and dissemination of cyber threat indicators consistent with CISA’s goal of protecting networks from cybersecurity threats.

The DHS Automated Indicator Sharing (AIS) capability referenced in some of the releases is designed to facilitate real-time sharing of cyber threat indicators by enabling DHS’s National Cybersecurity and Communications Integration Center (NCCIC) to (1) receive indicators from the private sector and other non-federal entities; (2) remove unnecessary personally identifiable information; and (3) disseminate the indicators, as appropriate, to other federal departments and agencies and the private sector and other non-federal entities.  Key functions of this capability include:

  • Performing a series of automated analyses and technical mitigations to ensure that personally identifiable information (PII) that is not directly related to a cybersecurity threat is removed before any information is shared;

  • Incorporating limited elements of human review to ensure such information is removed in cases where automated mitigations are not feasible;

  • Anonymizing the identity of the submitter of the information, unless the submitter has consented to sharing its identity;

  • Minimizing the amount of data collected to what is directly related to a cyber threat;

  • Retaining information for a limited amount of time, consistent with the need to address cyber threats; and

  • Ensuring any information collected is explicitly used for authorized governmental purposes.

Non-federal entities that share cyber threat information with the federal government pursuant to one of the mechanisms described above and in accordance with CISA’s requirements receive a variety of protections, including a limited antitrust exemption, liability protection, an exemption from certain federal and state disclosure laws, and exemption from certain state and federal regulatory uses, and protection for certain privileged and proprietary information, including trade secrets.

The new guidance offers companies a road map for how to share cyber threat information with the government while staying within the bounds of the law.

©1994-2023 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume VI, Number 49
Advertisement
Advertisement
Advertisement

About this Author

Chris Harvie, Communication Attorney, FCC, Mintz Levin, Communications Privacy & Cybersecurity FCC Regulation Legislative Strategy Cable & Telecom Transactions Franchising & Rights-of-Way Issues
Member

Chris devotes his practice to assisting cable operators, broadband companies, and content providers with a broad range of legal, policy and legislative matters. He represents clients before federal and state agencies, on Capitol Hill, and in court on a variety of communications law issues. Chris’s areas of specialty include privacy, cybersecurity, surveillance law, broadband policy, franchising and access to local rights-of-way, and policy and legislative issues affecting the Internet of Things. As a former committee counsel to the chair of the US Senate Judiciary Committee’s Antitrust,...

202.434.7377
Cynthia Larose Privacy Attorney Mintz Levin
Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732
Advertisement
Advertisement
Advertisement