Cybersecurity Information Sharing Legislation

Similar documents
Building Privacy into Cyber Threat Information Sharing Cyber Security Symposium Securing the Public Trust

Cybersecurity and Data Privacy

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

National Policy and Guiding Principles

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

Cybersecurity and Information Sharing: Comparison of H.R and H.R as Passed by the House

- Cyber threat information: information directly pertaining to,

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

The Department of Homeland Security The Department of Justice

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Section One of the Order: The Cybersecurity of Federal Networks.

DHS Cybersecurity: Services for State and Local Officials. February 2017

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

Checklist: Credit Union Information Security and Privacy Policies

-Eight types of cyber data, (Sec. 708(7))

ISAO SO Product Outline

New Grid Security Measures for 2016

Re: Special Publication Revision 4, Security Controls of Federal Information Systems and Organizations: Appendix J, Privacy Control Catalog

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

CYBERSECURITY LEGISLATION IT OUT!

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Summary Comparison of Current Data Security and Breach Notification Bills

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

GAO INFORMATION SHARING ENVIRONMENT

Legal, Ethical, and Professional Issues in Information Security

Putting It All Together:

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Data Use and Reciprocal Support Agreement (DURSA) Overview

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

H. R To reduce unsolicited commercial electronic mail and to protect children from sexually oriented advertisements.

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release September 23, 2014 EXECUTIVE ORDER

2. What is Personal Information and Non-Personally Identifiable Information?

Bad Idea: Creating a U.S. Department of Cybersecurity

Cyber Security Program

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

Investigating Insider Threats

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Cybersecurity and Data Protection Developments

Policy and Procedure: SDM Guidance for HIPAA Business Associates

March 21, 2016 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES. Building National Capabilities for Long-Term Drought Resilience

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Information technology security and system integrity policy.

Department of Homeland Security Updates

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

CHAPTER 13 ELECTRONIC COMMERCE

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Robert Holleyman, President and CEO, BSA The Software Alliance

Glenwood Telecommunications, Inc. Acceptable Use Policy (AUP)

Information Security Strategy

The NIST Cybersecurity Framework

G7 Bar Associations and Councils

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

Program 1. THE USE OF CYBER ACTIVE DEFENSE BY THE PRIVATE SECTOR

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

Brief to the House of Commons Standing Committee on Industry, Science and Technology on the review of Canada s Anti-Spam Legislation.

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

UTAH VALLEY UNIVERSITY Policies and Procedures

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Statement of Chief Richard Beary President of the International Association of Chiefs of Police

Priv ac y Policy. Last upda ted:

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

Cyber Security Strategy

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

Acceptable Use Policy

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Cellular Site Simulator Usage and Privacy

Hacking and Cyber Espionage

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

Statement for the Record

EDENRED COMMUTER BENEFITS SOLUTIONS, LLC PRIVACY POLICY. Updated: April 2017

Breckenridge Financial Supplies Website Use Policy

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Subject: University Information Technology Resource Security Policy: OUTDATED

Cybersecurity for State and Local Law Enforcement: A Roadmap to Enhance Capabilities

We are releasing 7 pages of responsive documents. Pursuant to FOIA, certain information has been redacted as it is exempt from release.

Cyber Risks in the Boardroom Conference

Learning Management System - Privacy Policy

SECURITY & PRIVACY DOCUMENTATION

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

GAO. Testimony Before the Committee on Homeland Security and Governmental Affairs, U.S. Senate

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Privacy Breach Policy

Security Standards for Electric Market Participants

DATA PROTECTION POLICY THE HOLST GROUP

Transcription:

Government entities and private-sector organizations in the United States now have a common framework that encourages the sharing of cybersecurity threat information among each other, thanks to new federal legislation. These guidelines also protect the privacy of personally identifiable information and provide liability protections to organizations that follow the framework and act in good faith. Just before adjourning for the year, the US Congress passed the Cybersecurity Act of 2015 (P. L. 114-113) on 18 December 2015, and President Barack Obama signed the measure into law later the same day. The legislation was tacked on to a massive omnibus appropriations bill at the last minute to facilitate consideration of the bill in the full House of Representatives and the Senate. H I G H L I G H T S Cybersecurity Information Sharing Legislation R Background R Survey Results R Cybersecurity Information Sharing Act R Definitions R Policies and Procedures R Sharing Information Within the Federal Government R Uses of Shared Information R Liability Protections R Best Practices R Other Provisions R Conclusion The Cybersecurity Act of 2015 aims to defend against cyberattacks by creating a framework for the voluntary sharing of cyber threat information between private entities and the federal government as well as within agencies of the federal government. Simultaneously, the legislation also aims to protect individuals privacy rights by ensuring that personal information is not unnecessarily divulged. The goal of the legislation is to promote and encourage the private sector and the US government to exchange cyber threat information rapidly and responsibly. Under the Act, information about a threat found on one system can be quickly shared in order to prevent a similar attack or mitigate a similar threat to other companies, agencies and consumers. Privacy advocates counter that the new law authorizes and enables broader surveillance by the federal government and provides weak privacy protections. The new law takes effect upon its enactment 18 December 2015 and runs through 30 September 2025. (CONTINUED ON PAGE 2) 2016 ISACA. ALL RIGHTS RESERVED

BACKGROUND The legislation has had a rocky road to enactment. Bills similar to the Cybersecurity Act were proposed in previous sessions of Congress with little advancement. In January 2015, President Obama called for cyber information sharing legislation in his State of the Union Address. In April 2015, the House of Representatives passed two separate versions of the legislation (H.R. 1560 and H.R. 1731), one put forth by the House Intelligence Committee and the other put forth by the House Homeland Security Committee. The US Senate passed its version of the bill, the Cybersecurity Information Sharing Act (CISA) of 2015 (S. 754), on 27 October 2015 by a vote of 74 to 21. Following the Senate action, a conference committee was appointed to compile a compromise version that would pass muster in both the House and Senate. Despite great progress in hammering out a deal, the legislation almost didn t make it to the respective floors for a vote due to tight scheduling issues. At the last minute, the legislation was attached to a larger omnibus bill so it could be considered. As a result, neither chamber of Congress spent much time debating the compromise cybersecurity text being put forth for a vote. Congressional Comment: House Permanent Select Committee on Intelligence Chairman Devin Nunes (R-CA) commented upon the passage of the bill, The American people overwhelmingly agree that we need to improve our defenses against cyber attacks and to keep our Intelligence Community fully funded to track and neutralize terrorists. That consensus is reflected in the big, bipartisan majorities that approved these bills in Congress. I m grateful to the Appropriations Committee for including these bills in the omnibus package, and I look forward to their swift passage into law. 15% 10% 72% SURVEY RESULTS According to the recent ISACA January 2016 Cybersecurity Snapshot survey, 72% of US respondents are in favor the US Cybersecurity Information Sharing Act (CISA), 10% are not in favor and 15% are unsure. According to the same survey, 46% stated they would voluntarily share information as outlined by this legislation, 13% would not share, and 28% are unsure. CSX SPECIAL REPORT: PAGE 2 2016 ISACA. ALL RIGHTS RESERVED

CYBERSECURITY INFORMATION SHARING ACT Under the Act, individual information may be provided to law enforcement if the identification of the responsible party that created the threat is known within the threat metadata. Congressional Comment: Upon his nay vote on the legislation, Senator Ron Wyden (D-OR) stated, Unfortunately, this misguided cyber legislation does little to protect Americans security, and a great deal more to threaten our privacy than the flawed Senate version. Americans demand real solutions that will protect them from foreign hackers, not knee-jerk responses that allow companies to fork over huge amounts of their customers private data with only cursory review. Title I of the larger Cybersecurity Act of 2015 is titled the Cybersecurity Information Sharing Act of 2015 (CISA). Under this title of the legislation, companies are permitted to monitor and operate defensive measures on both their own information systems as well as those of others with written authorization. Entities are encouraged to implement and utilize security controls to protect against unauthorized access to or acquisition of cyber threat indicators or defensive measures. Companies may share threat indicators and defensive measures with the federal government, but they must institute appropriate security controls and remove personal information not directly related to the reported cybersecurity threat. Liability protections are available for companies choosing to share information provided they implement the proper controls. Comment: The removal of personal information from data shared by businesses with the federal government may appease some who had privacy concerns regarding similar legislative proposals. Despite this, however, many privacy advocates and even some members of Congress still have significant concerns about the value of the legislation. Private entities may also share threat indicators and defensive measures with other private entities; again, personal information must be removed and security controls should be in place. Business Impact: If two or more private entities exchange cyber threat indicators or defensive measures, it will not be a violation of antitrust laws. Moreover, entities that share information with the federal government will continue to receive any applicable legal protections including trade secret protections. The Act also promotes and facilitates the sharing of cyber threat indicators and defensive measures within the federal government. This includes the sharing of classified information with relevant federal entities (as well as non-entities) that have the requisite security clearances. CSX SPECIAL REPORT: PAGE 3 2016 ISACA. ALL RIGHTS RESERVED

DEFINITIONS The new law defines a cybersecurity threat as an action on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system. A cybersecurity threat is not an action protected by the First Amendment to the Constitution of the United States (i.e., protection of free speech), nor does it include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement. A defensive measure is defined as an action, device, procedure, signature, technique or other mechanism applied to an information system or information that is stored on, processed by, or transiting a system that detects, prevents or mitigates a known or suspected cybersecurity threat or security vulnerability. Under the legislation, cyber threat indicator is defined as information necessary to describe or identify: n Malicious reconnaissance n A method of defeating a security control or exploiting a vulnerability n A security vulnerability n A method of causing a user with legitimate access to an information system to unwittingly enable the defeat of a security control n Malicious cyber command and control n The actual or potential harm caused by an incident n Any other attribute of a cybersecurity threat Comment: Statements such as any other attribute of a cybersecurity threat may be construed by law enforcement in a broad manner, thereby allowing the government to include more information than may be necessary. It is unclear if the courts later will narrowly define this statement so as to protect the collection and dissemination of sensitive personal information. POLICIES AND PROCEDURES The new Act does not specify many compliance-based rules; instead it provides directives to regulators who must detail the specifics in the form of policies and procedures to be issued. By mid-february 2016, the Attorney General and the Secretary of Homeland Security will develop interim policies and procedures relating to the receipt of cyber threat indicators and defensive measures and promoting the sharing of cyber threat indicators by the private sector with the federal government. By mid-june 2016, final policies and procedures must be released. These policies and procedures must clarify: n The types of information that would typically qualify as cyber threat indicators n The types of information deemed personal to a specific individual or identifying a specific individual n The types of protected information under privacy laws unlikely to be directly related to cybersecurity threats In addition, the Attorney General and the Secretary of Homeland Security will develop privacy and civil liberties guidelines which will govern the receipt, retention, use, and dissemination of cyber threat indicators by a federal entity obtained from voluntary sharing of information by a private entity. The guidelines must include a process for the timely destruction of information not directly related to authorized uses, specify the length of time a cyber threat indicator may be retained, and provide requirements to safeguard cyber threat indicators containing personal information. Additionally, sanctions for misuse of information by officers, employees or agents of the federal government will be issued as part of the guidelines. Comment: The sanctions to be imposed for misuse are not expounded in the legislation; instead the Attorney General and Secretary of Homeland Security will issue this guidance. Many believe, however, it is unlikely that the guidelines will criminalize such misconduct, as currently done with information shared regarding critical infrastructure, which can be subject to criminal penalties. CSX SPECIAL REPORT: PAGE 4 2016 ISACA. ALL RIGHTS RESERVED

The guidelines must also be consistent with the Fair Information Practice Principles (FIPPs), and protect the confidentiality of cyber threat indicators containing personal information to the greatest extent practicable. Business Impact: While the legislation does not describe what is meant by greatest extent practicable, liability protections contained in the Act will ensure that entities sharing potential cyber threat indicators are not held responsible for any misuse by those with whom the data were shared. Finally, the guidelines must ensure that the dissemination of cyber threat indicators is consistent with the protection of classified and other sensitive national security information. The privacy and civil liberties guidelines must be reviewed at least once every two years. SHARING INFORMATION WITHIN THE FEDERAL GOVERNMENT In the same time frame as noted above, policies and procedures must also be issued for sharing information inside the federal government. These policies and procedures must: n Affirm that cyber threat indicators shared with the federal government by a private entity are shared in an automated fashion with all appropriate federal agencies n Ensure that cyber threat indicators are shared with the appropriate federal agencies in real time and only subject to delay based on controls established, uniformly applied, and agreed to unanimously by the heads of included federal entities n Establish audit capabilities n Provide appropriate sanctions for officers, employees or federal agents who knowingly and willfully conduct unauthorized activities Comment: Appropriate federal agency is defined to include the Department of Commerce, the Department of Defense, the Department of Energy, the Department of Homeland Security, the Department of Justice, the Department of the Treasury, and the Office of the Director of National Intelligence. Business Impact: Because the legislation mandates that the shared cyber threat indicators and defensive measures will be received by and shared among many federal agencies, businesses need to balance the risks and rewards of sharing that information. CSX SPECIAL REPORT: PAGE 5 2016 ISACA. ALL RIGHTS RESERVED

USES OF SHARED INFORMATION Information shared with the federal government, and by extension with state, tribal or local governments, may only be used for: n Identifying a cybersecurity threat and/or its source n Identifying a security vulnerability n Responding to, preventing or mitigating a specific threat of death, bodily harm or economic harm n Responding to, investigating or prosecuting a serious threat to a minor n Preventing, investigating, disrupting or prosecuting a fraud/identify theft action; an espionage or censorship action; or a protection of trade secret action Business Impact: Information shared with state, tribal or local governments may be used to investigate and prosecute alleged cyber criminals. Information shared, however, cannot be used by a state, tribal or local government to regulate directly the lawful activity of any entity, although such information may be used to inform the development or implementation of regulations. Information shared with the federal government is not subject to disclosure under the Freedom of Information Act, at the federal, state, tribal or local levels. LIABILITY PROTECTIONS The sharing of information is completely voluntary, but companies who share cyber threat indicators or defensive measures will receive legal liability safeguards if they comply with the appropriate privacy protections. The Cybersecurity Information Sharing Act maintains that no cause of action shall lie or be maintained in any court against any entity for the monitoring of information systems, nor for the sharing or receipt of cyber threat indicators or defensive measures, if the information is shared in accordance to the procedures outlined in the Act. Comment: It is unclear whether the liability protections offered in the Act will be enough enticement for businesses to participate in the program. Many companies, however, view liability protection as a minimum requirement to take part in any information-sharing arrangement. CSX SPECIAL REPORT: PAGE 6 2016 ISACA. ALL RIGHTS RESERVED

BEST PRACTICES By mid-february 2016, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General will jointly develop and issue procedures to facilitate and promote the timely sharing of classified cyber threat indicators and defensive measures possessed by the US government with representatives of relevant entities that have the appropriate security clearance. In addition, procedures for the sharing of declassified and unclassified cyber threat indicators and defense measures with a broader audience, including the private sector, will be developed. Business Impact: Companies that lack requisite security clearance may have little incentive to partner with governmental agencies. Not until these procedures are developed will companies be able to qualify the threat indicators to determine the value of sharing information. The Act also encourages the US government to share periodically cybersecurity best practices developed through ongoing analysis of cyber threat indicators, defensive measures and information relating to cybersecurity threats. CONCLUSION It remains to be seen whether the Cybersecurity Act of 2015 s voluntary scheme for sharing cyber information will create the necessary incentives to overcome the legal and non-legal disincentives that have previously deterred a more robust dissemination of this information. Because the goals of cyber information legislation are often diametrically opposed, it may simply be impossible for information-sharing legislation to simultaneously promote the rapid and robust collection and dissemination of cyber-intelligence by the federal government, while also ensuring that the government respects the property and privacy interests implicated by such information sharing. OTHER PROVISIONS The Cybersecurity Act of 2015 also includes provisions that amend the Homeland Security Act of 2002 to promote the national advancement of cybersecurity by making it consistent with CISA. Additionally, a report on cybersecurity vulnerabilities of US ports as well as a report on the security of mobile devices of the federal government are mandated. Finally, the Act requires an assessment of the federal cybersecurity workforce. Comment: According to global respondents to a recent ISACA survey, 48% of organizations plan to hire new cybersecurity staff in 2016, but 94% expect it will be difficult to find skilled candidates. CSX SPECIAL REPORT: PAGE 7 2016 ISACA. ALL RIGHTS RESERVED

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback