Archives for May 30, 2017

They Cybersecurity Information Sharing Act of 2015 (CISA) was signed by President Obama and paved the way for businesses to share cyber threat information or what is known as cyber threat indicators, with the U.S. Government. The program, managed by the Department of Homeland Security (DHS) intends to increase awareness within industry of successful cyberattacks that take place by sharing information about that threat to industry to make them aware of impending attacks so that they can be better prepared to defend against them.

The Mission of the ISAO: Information Sharing and Elevated Cybersecurity Awareness
The stakeholders in the CISA act realized that the real time sharing of cyber threat indicators between industry and the government was critical in the ability to quickly disseminate that information in order to increase the cybersecurity awareness of business and decrease the risk of more successful attacks. It was necessary to address critical factors of trust and privacy to ensure that business would share threat data upon attack and would be amenable to becoming part of a membership that would be empowered to transmit and receive cyber threat data to increase their security status.

Critical to meeting this intent was the formation of Information Sharing and Analysis Organizations, or ISAOs which are non or for profit institutions that share information with the DHS and serve as an intermediary between industry and the government. These organizations can come in varying degree of complexity and have a range of offerings but usually or oriented around a region, industry or other business vertical. The ISAOs are connected to DHS through a public/private portal called the Automatic Information Sharing (AIS) portal and can push and pull information as necessary to input and disseminate cyber-attack information for its members.

The ISAOs are individually organized and are loosely regulated by the ISAO Standards Organization, or SO. This organization is responsible for developing the framework, standards and requirements for establishing and running an ISAO. The SO, funded in early 2016, has been working on establishing guidance and documentation and has been extensively supported by the ISAO’s predecessors, the Information Sharing and Analysis Centers, or ISACs, which number 13 and are focused on critical infrastructure such as large financial organizations, healthcare, aviation, defense and other industries deemed critical to the U.S economy. The ISACs have been in business, some for over a decade and have used their expertise to assist the ISAOs in their successful formation.

Enablers of Trust
Early on in the negotiations that proceeded CISA there were frank discussions between industry and the USG on how to enable trust and enabling trust became the primary point of contention, besides privacy, in the formation of the law. Due to its dual role as protector and enforcer, many companies are leery about sharing their information with the USG to avoid repercussions or leakage. The USG, realized that the formation of ISAOs are critical to the formation of trust between industry and the government by being a representative of the industry, sector or particular region and by virtue of that common interest enabled by its members to represent and protect them.

To further enable the formation of trust between industry and the government, the law specifically designates that the ISAOs report to DHS, vice the intelligence or military community. One of DHS’ numerous missions is the protection of the internet against attack and ensuring the safety of the internet while preventing its use to commit crimes. Placing the ISAO program under DHS made sense from the fact that it represents the security of the nation and doesn’t have regulatory capacities, making it palatable to business and Congress.

Furthermore, as stated, ISAOs themselves are formed through common membership or interest: small business, (SMB-ISAO), defense (Defense-ISAO-, legal (Legal-ISAO), regional (Rocky Mountain-ISAO) etc. This common interest enables the provision of trust and also legitimizes the ISAOs role as the protector of its members from government involvement. Thus, the ISAO is seen as the “trusted” entity creating comfort in information sharing of cyber threat indicators through proven methods.

Protectors of Privacy
But the entities involved in creating CISA realized that allowing the formation of protective organizations was not enough to enable trust, but that other mechanisms would be required to augment that trust through provisions designed to improve the level of comfort a company would have in sharing cyber threat information. One of these was to ensure that all data was required to be sanitized of all Personally Identifiable Information (PII) such as social security numbers, names, addresses etc. Additionally, information was to be scrubbed of all proprietary information, intellectual property and/or any other information that would provide a competitive disadvantage to the company that shared it.
Each ISAO is usually connected to the DHS Automated Information Sharing (AIS) system, which transmits and receives cyber threat indicator information and serves as the conduit for information sharing between DHS and the ISAO. Depending on the capabilities of the ISAO, current and relevant cyber threat information is disseminated outward to ISAO members in daily or weekly reports and, in the event of a hack is reported to the ISAO, which transmit that data to DHS. This process is overseen by DHS, the ISAO and is in place to protect the ISAO member from sharing proprietary data or any information that could place its operations or intellectual property in danger.

But creating a means of transmitting and receiving data was not enough for those concerned with he potential release of that information. Thus, the law also states that any federal, local or tribal entity that receives cyber threat information from a business, thru the DHS AIS, cannot be shared outside that entity and furthermore cannot be disclosed through open laws, Freedom of Information Act requires, Sunshine Law requests etc. These lawful restrictions, subject to legal implications if violated, were put in place to further ensure that businesses that partake in ISAO membership are protected. By serving as the standard bearer of privacy, using approved methods of transmission and holding the government accountable, the ISAO protects the industry members and ensures that the protections afforded by CISA for sharing information are in place.

Membership Legal Protections
CISA stakeholders also realized that addressing privacy and information was critical to forming the trust necessary between business and DHS but that further protections were warranted to ensure that businesses would feel comfortable joining an ISAO. Thus, crucial legal protections were written into the law to protect businesses from any repercussions endemic in the sharing of cyber threat indicators or information.

These protections provide businesses with crucial shields against tort litigation, FOIA requests, Sunshine Law requests as well as protects any patents or trade secrets that may have been stolen, enforces and prevents the government from using disclosures of breaches from regulatory retribution.

While these protections are extensive and recommended for any business to acquire, it is critical to note that these protections are in place only if that information is shared through DHS or another non-federal entity. While a business is actually able to share that information with DHS directly through an email, participation in an ISAO is recommended due to their direct connection with DHS NCCIC, their expertise in handling sensitive information and their inherent level of cybersecurity expertise.

So Join an ISAO Today!
The ISAOs are easy to join and offer a company the ability to increase its awareness by the reception of critical cyber threat data as well as critical legal and regulatory protections for companies that share information. In this series, we will look at all the aspects of an ISAO, what information they can share, how the business is protected and the obligations of DHS to the business community. While there are many, some like the SMB-ISAO have no restrictions on size or number of employees and are backed and staffed by companies with decades of cybersecurity and intelligence expertise who use industry leading tools to protect their members.

Litigation is the primal fear of any small and mid-sized business owner and any protection from litigation or evidence to support litigation is of critical importance. It is why the cybersecurity insurance markets are worth hundreds of millions, if not billions of dollars a year as they prey on the fear, uncertainty and doubt (or FUD as its known in advertising and marketing) of the small business owner. While protecting the business against legal coverage costs is of paramount importance, there are legal protections that no cyber insurance product can provide that are afforded by the Cyber Information Sharing Act (CISA) and ISAO participation.

As formalized in the CISA law, Section 104.d.4. talks about the use of cybersecurity defensive measures that are shared with State, Tribal or Local governments. Part B of Section 4 explicitly states that those

“cyber threat indicators or defensive measure shared by or with a State, tribal, or local government, including a component of a State, tribal, or local government that is a private entity, under this section shall be—
(i) deemed voluntarily shared information; and
(ii) exempt from disclosure under any provision of State, tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records.”

So what is the intent of the government in providing this particular protection? To us at SMB-ISAO it means that the government is once again providing key protections in order to improve cybersecurity sharing with government entities. A spokeswoman for Senate Intelligence Committee Chairman Richard Burr (R-N.C.) said the FOIA language was important to encourage companies to share information on cyber threats and attacks with the government.

“The exemption is one of the bill’s tools meant to encourage as much sharing of cyber-threat indicators as possible in order to reduce cyber-attacks on our homeland. At the core of this legislation is the creation of an environment where individuals and businesses feel safe in sharing information with the government as well as with each other,” Burr spokeswoman Becca Watkins said. Basically, this act extends the same protection from FOIA requests that is extended to National Security and critical infrastructure.
For smaller companies, the threat of litigation is increased when Freedom of Information Act (FOIA) or Sunshine Laws allow plaintiffs or lawyers to request additional information to identify litigious opportunities. Examples abound on the internet of the use of FOIA requests to harass researcher, prevent freedom of speech and receive information about cybersecurity attacks. By invoking CISA protections through the sharing of threat data with state, local and tribal governments especially through the DHS AIS, smaller companies can enhance their protection against lawsuits.

While this protection provides those businesses that share information with local governments to be shielded against those threats, it can be inferred here that sharing between non-federal entities other than the aforementioned “component” of a state, tribal or local government may not allow these protections to remain in place. It appear that only by communicating cyber threat indicators or defensive measures through an ISAO directly to the DHS National Communications and Cybersecurity Integration Center (NCCIC) through its Automated Information Sharing (AIS) system or providing that information directly to the NCCIC or to state, local and tribal governments would afford Small and Mid-Sized businesses these protections.