Building Privacy into Cyber Threat Information Sharing Cyber Security Symposium Securing the Public Trust

Transcription

1 Building Privacy into Cyber Threat Information Sharing Cyber Security Symposium Securing the Public Trust Jamie Danker Director, Senior Privacy Officer National Protection and Programs Directorate, U.S. Department of Homeland Security September 28, 2016

2 DHS Privacy Office NPPD Privacy Office Tools: embedded privacy staff, privacy compliance process integrated in IT Security processes, Privacy Impact Assessments! Visit for examples of PIAs for IT programs and systems across DHS.

3 Cybersecurity Act of 2015 Overview Passed by Congress and signed by President Obama on December 18, 2015 as part of the FY2016 Omnibus Appropriations Act Title I of the Act is the Cybersecurity Information Sharing Act (CISA) Designates DHS as the central hub for the sharing of cyber threat indicators between the private sector and the Federal Government Gives liability protection to private sector entities if they share cyber threat indicators through DHS s Automated Indicator Sharing (AIS) capability 4 3

4 Privacy and Civil Liberties Guidelines

5 Privacy and Civil Liberties Guidelines Establishes privacy and civil liberties guidelines for the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with the activities authorized by CISA, consistent with the need to protect information systems from cybersecurity threats, any other applicable provisions of law, and the Fair Information Practice Principles (FIPPs). Interim at 60 days (February 16, 2016) to Congress and made publicly available, Final at 180 days (June 15, 2016) made publicly available. Review every 2 years.

6 Privacy and Civil Liberties Guidelines FIPPs The FIPPs are the widely accepted framework of defining principles to be used in the evaluation and consideration of systems, processes, or programs that affect individual privacy. The Guidelines include a FIPPs analysis that shapes the guidance on receipt, retention, use and dissemination of cyber threat indicators shared under CISA.

7 Privacy and Civil Liberties Guidelines Defensive Measures Defensive measures, as a technical matter, typically should not need to contain personal information of a specific individual or information that identifies a specific individual. The guidelines state that Federal entities are strongly encouraged, where not explicitly required and to the extent appropriate, to apply the requirements found in the guidelines to defensive measures.

8 Guidelines: Receipt Federal entities must destroy information, in a timely manner, that is (1) personal information of specific individuals or information that identifies specific individuals and (2) that is known not to be directly related to uses authorized under CISA. The Federal Government s principle mechanism for receipt of cyber threat indicators and defensive measures is the DHS AIS capability, which will include a privacy scrub.

9 Guidelines: Use Highlights the authorized uses listed under Section 105(d)(5): a cybersecurity purpose; the purpose of identifying (i) a cybersecurity threat, including the source of such cybersecurity threat or (ii) a security vulnerability; the purpose of responding to, or otherwise preventing or mitigating, a specific threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction; the purpose of responding to, investigating, prosecuting, or otherwise preventing or mitigating a serious threat to a minor, including sexual exploitation and threats to physical safety; or the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a threat described in #3 above or any of the offenses listed in (i) sections 1028 through 1030 of title 18, United States Code (relating to fraud and identity theft), (ii) chapter 37 of such title (relating to espionage and censorship), and (iii) chapter 90 of such title (relating to protection of trade secrets).

10 Guidelines: Retention Federal entities may only retain cyber threat indicators and defensive measures provided under CISA for the purposes authorized in Section 105(d)(5)(A). Federal entities will follow or modify applicable, or establish new, records disposition schedules to comply with the requirements in CISA for specific limitations on retention. Federal entities will also establish a process for the timely destruction of a cyber threat indicator when it becomes known to the Federal entity that the cyber threat indicator contains personal information of specific individuals, or information that identifies specific individuals, that is not directly related to an authorized use under CISA.

11 Guidelines: Dissemination Prior to the sharing of a cyber threat indicator, every Federal entity shall review such cyber threat indicator to assess whether it contains any information (1) not directly related to a cybersecurity threat (2) that such Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual, and remove such information.

12 Guidelines: Required Federal Notification Notifying entities if information received under CISA is known or determined to be in error or in contravention of the requirements of CISA or another provision of Federal law or policy of such error or contravention. (Section 103(b)(1)(C)) Notifying entities if information received pursuant to CISA is known or determined not to constitute a cyber threat indicator. (Section 105(b)(3)(E)) Notifying any United States Person whose personal information is known or determined to have been shared in violation of CISA. (Section 103(b)(1)(F))

13 Guidelines: Other Requirements Safeguarding Sanctions Protection of classified/national security information Audit Periodic Review

14 Automated Indicator Sharing (AIS)

15 What is AIS? Designed to enable the timely exchange of cyber threat indicators and defensive measures among federal and nonfederal entities. To do this, DHS must: be able to receive data from non-federal and federal entities, filter sensitive information, analyze the information, and disseminate cyber threat indicators and defensive measures for the purposes set forth in the legislation, and within the limitations set forth in the legislation.

16 Cyber Threat Indicators (CTI) and Defensive Measures (DM) CTIs: pieces of information like malicious IP addresses or the sender address of a phishing (although they can also be much more complicated) with some added context about the circumstances in which the information was received. Indicator = Observation + Informed Hypothesis DM: a strategy for defending against or mitigating the effects of a cyber threat. Congress defined a DM quite broadly: A set of CTIs with a suggestion for how to combat them. A white paper. A device, piece of software, or code.

17

18 AIS Implementation Pre-CISA: DHS stood-up three working groups (Privacy & Compliance, Customer Engagement, and Internal Capabilities) to implement DHS s initial plan with the goal to enable the automated capability. Post-CISA: In collaboration with DOJ and other government agencies, AIS was updated for: Addition of Defensive Measures Redefining Cyber Threat Indicators Development of CISA Guidelines

19 AIS Design Decisions Design Objective: engender trust amongst participants by sharing CTIs and DMs that are directly related to cyber threats in real-time while protecting privacy and civil liberties. Design Models: existing DHS policy to not use/share PII unless it is directly related to the cybersecurity threat. Standards: open standards of Structured Threat Information expression (STIX) and Trusted Automated exchange of Indicator Information (TAXII) for AIS.

20 What are STIX and TAXII? STIX and TAXII are OASIS-led open source standards developed for structuring communication on cyber threat information as well as the supporting protocol for secure machine-to-machine communication of cyber threat information.

21 AIS Profile A selection of STIX fields that most directly relate to CTI and DM sharing which have been assessed for privacy, civil liberties, and other compliance concerns and risks. Received input from various cybersecurity analysts across the government to not adversely inhibiting the use or utility of the CTIs and DMs. Technical or manual mitigations applied for each identified risk.

22 Technical and Manual Mitigations Replacing ID with NCCIC IDs Defining vocabulary and schema restrictions Regular expression (pattern matching) Matching against list of known good values Replacing with auto generated text Conducting human review

23 DHS Privacy Scrub

24 Indicator Submission Company Name Indicator Title Indicator Description Kill Chain Phase Observable Type IP Addresses (Category, Is Spoofed, Is Source, Is Destination, Address Value) Messages (From, Subject, Message ID, Sender, X-Mailer, Body) File (Name, Extension, Path, Size) Attribution

25 Removal of Prohibited Fields Company Name Indicator Title Indicator Description Kill Chain Phase Observable Type IP Addresses (Category, Is Spoofed, Is Source, Is Destination, Address Value) Messages (From, Subject, Message ID, Sender, X-Mailer, Body) File (Name, Extension, Path, Size) Attribution

26 Automated Sanitization (Replace) Company Name NCCIC ID (unless consent to share) *Indicator Title Auto-Generated Title *Indicator Description Auto-Generated Description Kill Chain Phase Observable Type IP Addresses (Category, Is Spoofed, Is Source, Is Destination, Address Value) Messages (From, Subject, Message ID, Sender, X-Mailer, Body) File (Name, Extension, Path, Size) Attribution *Privacy risk cannot be mitigated by technical means and is queued for human review.

27 Automated Sanitization (Technical) Company Name NCCIC ID (unless consent to share) *Indicator Title Auto-Generated Title *Indicator Description Auto-Generated Description Kill Chain Phase No privacy risk, automatic pass-through because it matches controlled vocabulary Observable Type IP Addresses Category Controlled Vocabulary Is Source, Is Destination, Is Spoofed Schema Restricted (T/F) Address Value Regular Expression Messages From, Sender Regular Expression *Subject, Body SEND FOR HUMAN REVIEW Message ID, X-Mailer Known Good File Name Known Good Extension Regular Expression & Known Good Path Regular Expression (Partial Mitigation) & Known Good Size Regular Expression Attribution *Privacy risk cannot be mitigated by technical means and is queued for human review.

28 Initial AIS Indicator NCCIC ID (unless consent to share) Auto-Generated Title Auto-Generated Description Kill Chain Phase Observable Type IP Addresses (Category, Is Spoofed, Is Source, Is Destination, Address Value) Messages (From, Subject, Message ID, Sender, X- Mailer, Body) File (Name, Extension, Path, Size)

29 Human Review Indicator Title Reviewed for the inclusion of PII not necessary to understanding the cyber threat. *Sanitized, if necessary, for dissemination. Indicator Description Reviewed for the inclusion of PII not necessary to understanding the cyber threat. *Sanitized, if necessary, for dissemination. Observable Type Message Subject & Body Reviewed for the inclusion of PII not necessary to understanding the cyber threat. *Sanitized if necessary for dissemination. *If can t be sanitized, information will be deleted.

30 Final* AIS Indicator NCCIC ID (unless consent to share) Sanitized Indicator Title Sanitized Indicator Description Kill Chain Phase Observable Type IP Addresses (Category, Is Spoofed, Is Source, Is Destination, Address Value) Messages (From, Sanitized Subject, Message ID, Sender, X-Mailer, Sanitized Body) File (Name, Extension, Path, Size) *Disseminated via version control.

31 But what does this really look like?

32 CTI of Malicious Domain Names SOURCE:

33 CTI of Malicious Domain Names SOURCE:

34 Questions?