July 14, 2020

Volume X, Number 196

July 13, 2020

Subscribe to Latest Legal News and Analysis

To Share or Not to Share (with the Government)? That is the Question: DHS Announces Interim Guidelines for Sharing Cyber Threat Indicators

On February 16, 2016, Secretary of Homeland Security Jeh Johnson announced interim guidelines and procedures for sharing cyber threat indicators under the Cybersecurity Information Sharing Act of 2015 (“CISA”). Because the guidelines are voluntary, the next question is, Should your company share information with the Government?

With these interim guidelines and procedures, the Government seeks to limit the impact to companies and individuals from sharing information on “cyber threat indicators.” Note that a “cyber threat indicator” includes “information that is necessary to describe or identify” cyber threats, as well as methods to trick legitimate users into providing their credentials unwittingly, “[m]alicious reconnaissance,” and “method[s] of defeating a security control or exploitation of a security vulnerability” (otherwise known as malware, backdoors, and insider threats).

As part of this effort to protect privacy, DHS’ Computer Emergency Readiness Team (“US-Cert”) released the Automated Indicator Sharing (“AIS”) initiative to automate the process of real-time information sharing about cyber threats and cyber threat indicators between federal agencies and with the private sector, while simultaneously protecting any protected information that may have been compromised. The guidelines also (i) provide “targeted liability protection for sharing cyber threat indicators” with AIS, and (ii) seek to “encourage companies to work with DHS to set up the technical infrastructure needed to share and receive cyber threat indicators in real-time.”

AIS is designed to remove all Personally Identifiable Information not directly related to the cyber threat before sharing any information. In addition, AIS procedures render the source of the information anonymous before that information is shared (unless the source has agreed to be named). AIS scrubs the indicators for information that would be protected under privacy laws, sharing only “information that is directly related to and necessary to identify or describe a cybersecurity threat.”

Secretary Johnson emphasized that “The law importantly provides two layers of privacy protections. Companies are required to remove personal information before sharing cyber threat indicators and DHS is required to and has implemented its own process to conduct a privacy review of received information.”

What types of information would be shared?

A few examples are specifically listed. These include:

  • Web server log files showing repeated access attempts or tests from a particular IP address;

  • The discovery of a backdoor that allows unauthorized access;

  • A pattern of domain name lookups that indicate a malware infection;

  • Warnings about files that may have been exfiltrated from a company; and

  • Actions taken to mitigate any of these dangers.

So, should your company participate in this voluntary information sharing program?

Of course, that depends. When deciding whether to share information with the government, consider all of the private information your company holds: the company’s IP and trade secrets, the information of your officers, directors, and employees, and personal and billing information for your customers and clients as well. Sharing any of this information across state, federal, and international borders requires an analysis of numerous laws and regulations, possibly even implicating the newly announced US-EU “Privacy Shield.”

In addition, while these new regulations require that all shared data to be rendered anonymous, unintended disclosures happen. Among other things, such a disclosure could spark sanctions under a variety of state, federal, and international privacy laws prohibiting disclosure of protected information. And, of course, information shared with the Government is not necessarily secure—as demonstrated by the theft of 20 million federal employees’ records from OPM last year.

Perhaps most troubling, however, is that companies choosing not participate in the program are not entitled to access its information. This will create a class of data “haves” and “have-nots,” solely based on a company’s decision to participate in the program. While access to real-time information about cyber threats would provide an obvious benefit, individual businesses will need to decide whether that access is worth the risk, including the risk of unintended disclosure. Any company that decides it is not worth the risk will be excluded from the cyber threat information. Understand, too, that a decision by a company not to participate in the program could be used against it in litigation, the media, or otherwise.

While the tension between privacy and security is fundamental, the cybersecurity battle is only just beginning. For companies now faced with the decision whether or not to participate in the just-announced DHS interim guidelines, this tension is currently at the forefront.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VI, Number 61

TRENDING LEGAL ANALYSIS


About this Author

Partner

Laura Jehl is a partner in the Business Trial Practice Group in the firm’s Washington, D.C. office. Ms. Jehl is a privacy and cybersecurity expert and serves as Co-Leader of the Privacy and Data Security Practice.

Ms. Jehl has more than two decades of in-house and private practice experience, and has represented clients on a wide range of business and legal matters, including privacy, data security, breach response, litigation and government investigations, crisis management, Internet, digital media, technology and First Amendment matters. Most...

202-747-1922
Dave Thomas, Telecommunications Attorney, Sheppard Mullin, Law Firm
Partner

Mr. Thomas is a partner in the Business Trial Practice Group in the firm's Washington D.C. office.

Mr. Thomas has a national practice in the telecommunications and broadband communications industries. His practice focuses on the deployment of competitive networks and services, with a particular emphasis on representing broadband providers in matters involving local franchising, rights-of-way, pole attachments, and similar issues.

202-469-4918
Christine R. Couvillon, Government Contracts Attorney, Sheppard Mullin Law Firm
Associate

Ms. Couvillon’s professional experience involves a wide variety of counseling, investigations, and litigation for government contractor clients.  She has conducted and assisted on internal  investigations for Office of Foreign Assets Control and False Claims Act liability, represented clients in claims negotiations and disputes before the Armed Services Board of Contract Appeals, and challenged and defended agency decisions on contract awards before the U.S. Government Accountability Office.  In addition, Ms. Couvillon has counseled clients on various regulatory and compliance questions,...

Christine R. Couvillon