Answering the call from the private sector for more clarification around liability protections for private entities to share cyber threat data with each other under a relatively new law, the Department of Homeland Security (DHS) on Wednesday issued updated guidance describing the exemptions and protections that these entities received for sharing information about cyber threats with each other.
The original guidance was issued in February as required by the Cybersecurity Information Sharing Act that Congress passed and President Barack Obama signed into law late in 2015. But companies and other private groups wanted additional clarification to ensure the liability protections included in the legislation to incentivize information sharing between the private sector and federal government applied to sharing between private entities.
Clarification is needed from DHS and the Justice Department that the “liability protections under CISA cover private to private sharing,” Mark Clancy, CEO of Soltra, told the House Homeland Security Cybersecurity Subcommittee on Wednesday during a hearing to review progress on implementing CISA. Soltra is a cyber solutions provider and joint venture created by an information security organization of the financial services industry and the DTCC, which provides services to the world’s financial markets.
Rep. John Ratcliffe (R-Texas), chairman of the panel, said that private-to-private sharing of cyber threat indicators is intended by CISA.
Key features of the bill include the liability protections to further information sharing of cyber threat indicators and defensive measures so that government and private entities have greater situational awareness of existing cyber threats to either prevent them from gaining access to their networks or to clean them from their networks.
“CISA authorizes private entities to share cyber threat indicators and defensive measures with other private entities” under section 104c of the bill, the updated DHS guidance says. “It also provides private entities with liability protection for conducting such sharing in accordance with CISA.”
The information that can be voluntarily shared under CISA is cyber threat indicators and defensive measures from which certain personally identifiable information must be removed.
The updated guidance also clarifies the sharing of cyber threat indicators and defensive measures by non-federal entities with a federal entity.
CISA makes DHS, and specifically the department’s cyber watch center, the National Cybersecurity and Communications Integration Center, the main portal for the sharing of cyber threat information within the federal civilian government and between the federal civilian government and non-federal entities. DHS has established an automated portal for machine-to-machine sharing of threat indicators in near-real time called the Automated Indicator Sharing (AIS) system.
Industry officials testifying before the House panel on Wednesday generally lauded DHS’ initial implementation and outreach to the private sector on the CISA implementation, though pointing to the need for clarification of liability protections for private to private threat sharing.
“While there are still some operational improvements needed to facilitate the efficient sharing of both automated and non-automated processes, and government guidelines remain to be finalized, there is clear evidence of a strong commitment on the part of industry and government to address any remaining barriers,” Robert Mayer, vice president of Industry and State Affairs for the United States Telecom Association, told the subcommittee.
So far about 30 companies and private entities, including Soltra, are enrolled in AIS and are receiving cyber threat data from DHS. About 100 private entities have begun the process for participating in the AIS program.
These participation numbers don’t appear to have changed in the past few weeks but Mayer said that given the attention at the financial, technical and legal levels needed before a company or other organization enrolls in AIS, the current participation numbers are “not a bad situation.”
Officials speaking at a CHS workshop last week on the CISA implementation said that so far there has been reluctance by the private sector to share cyber threat indicators it is discovering on their networks with the federal government.