Updated Guidance on the Cybersecurity Information Sharing Act Of 2015

Kate B. Belmont and Sean T. Pribyl

Action Item: On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and the U.S. Department of Justice (“DOJ”) jointly issued a notice announcing the availability of the Cybersecurity Information Sharing Act of 2015 (“CISA”) Final Guidance Documents, Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities and The Privacy and Civil Liberties Final Guidelines(“Final Guidance Documents”). These updated Final Guidance Documents address policies and procedures relating to the receipt and sharing of cyber threat indicators from non-federal entities and defensive measures by the federal government, as well as guidelines regarding privacy and civil liberties. Clients should seek counsel in navigating CISA and to assist with developing comprehensive cyber risk management strategies.

The maritime industry continues to be vulnerable to real-world cyber risk, but recent guidance from the government and industry has provided insight into how best to protect against cyber threats. Cyber threats come in many shapes and forms, and the best approach to protecting against such threats includes awareness, education, systems reviews, and information sharing. Identifying cyber risk as a significant threat to all industries, and the maritime industry in particular, CISA provides clients with additional tools to defend and protect against cyber attacks and cyber risk.

What is CISA?

On December 18, 2015, President Obama signed into law the Cybersecurity Information Sharing Act of 2015. CISA was created to establish a voluntary cybersecurity information sharing process. Information sharing is a critical component in protecting and defending against cyber threats. The maritime industry, which has only recently begun to address cybersecurity, is at particular risk due to its failure to effectively share information on cyber risks and report and disclose the cyber threats facing the industry on a regular basis. CISA primarily serves to facilitate information sharing on cyber risks and cyber threats between the private sector and the federal government.

CISA designates the DHS as the central sharing point of “cyber threat indicators” between the private sector and the federal government. Under CISA, public and private sector entities are authorized—and encouraged—to share “cyber threat indicators” and “defensive measures.” A “cyber threat indicator” is defined as “information that is necessary to describe or identify malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability.” Cyber threat indicators include security vulnerabilities, methods of defeating a security control, and the actual or potential harm caused by a cyber incident. “Defensive measures” include any action, device, procedure, or other measure that detects, prevents or mitigates a known or suspected cybersecurity threat or security vulnerability.

CISA Protections, Information Sharing, and Anonymity

While many industries are hesitant to share information on cyber breaches and cyber vulnerabilities, CISA was created with the goal of encouraging a partnership with the private sector based on the “community trust principle,” and in design and practice incorporates anonymous information sharing procedures. One of the key provisions of CISA is that it affords anonymity and liability protection to private sector entities that share cyber threat indicators through DHS’s free Automated Indicator Sharing (“AIS”) capability. Participants in AIS connect to a DHS-managed system in its National Cybersecurity and Communications Integration Center (“NCCIC”), which allows bidirectional sharing of cyber threat indicators. In addition to reporting cyber threats, participants who share information through AIS also receive updates and reports on potential threats that are shared by all AIS participants. The exchange of information is not unilateral—those who report also receive updates on potential cyber threats and incidents from the federal government and other participants. It is important to note that those who share indicators or threats through AIS will not be identified as the source of those indicators to other participants unless they affirmatively consent to the disclosure of their identity.

Further, to qualify for CISA liability protections, the information shared and the manner in which it is shared must be in accordance with CISA provisions. CISA only authorizes information sharing for cybersecurity purposes, and any sharing or reporting that is not conducted in accordance with CISA is not eligible for its protections. Caution is warranted in all cases concerning the disclosure of personal data, and a legal determination may be required to determine if appropriate measures have been taken to protect such information.

CISA also limits the purposes for which the federal government can use cyber threat indicators provided to the DHS. The Federal Government may only use cyber threat indicators for cybersecurity and limited law enforcement purposes, such as identifying cybersecurity vulnerabilities or responding to specific threats of harm. CISA contains a number of processes to ensure protection of personally identifiable information, and the federal government only retains information necessary to address specific cyber threats. Importantly, CISA provides provisions limiting discoverability under the Freedom of Information Act (“FOIA”).

Many industries have found it challenging to develop effective information sharing organizations, although under CISA, private sector entities can share cyber threat indicators through participation in information sharing programs, such as an Information Sharing and Analysis Organization (“ISAO”) which exchanges information with the DHS on their behalf. An additional option is to participate in the Cyber Information Sharing and Collaboration Program (“CISCP”), which provides access to resources such as threat indicator bulletins, analysis reports, alerts, and recommended best practices. Clients should give careful consideration to whether they intend to participate in these information sharing programs to ensure they clearly understand the obligations, risks, and benefits first, and should consider seeking counsel in this regard.

Final Guidance Documents

On June 15, 2016, two Final Guidance Documents were released providing further clarification concerning various procedures under CISA. The first, Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities, establishes procedures relating to the receipt of cyber threat indicators and defensive measures by all federal entities under CISA. This guidance includes further clarification concerning the receipt, processing, and dissemination of cyber threat indicators through real-time and non-automated means, and also clarifies audit capabilities and unsanctioned use
under CISA.

The second document, Privacy and Civil Liberties Final Guidelines, provides further clarification concerning privacy and civil liberties, specifically those governing the receipt, retention, use, and dissemination of cyber threat indicators by a federal entity obtained in connection with the activities authorized by CISA. The Privacy and Civil Liberties Final Guidelines were developed jointly by the DHS and the DOJ, after consultation with the U.S. Departments of Commerce, Defense, Energy, and Treasury, and The Office of the Director of National Intelligence, as well as private entities with industry expertise related to cybersecurity. These procedures focus on various guiding principles that include transparency, individual participation, purpose specification, and security, among others. While instructive, it is important to note that all cyber threat indicators provided to the federal government under CISA may be disclosed to and used by any federal agency or department, officer, or employee of the federal government solely for authorized activities as outlined in CISA. Accordingly, for those interested in participating in AIS under CISA, or any other information sharing program with the federal government, it would be prudent to seek advice from counsel beforehand.

CISA’s Impact on the Maritime Industry

In 2016, the maritime industry has made a significant commitment to addressing cyber risk and promoting cyber risk management. The recently released Industry Guidelines on Cyber Security Onboard Ships, produced and supported by the Baltic and International Maritime Council (“BIMCO”), Cruise Lines International Association (“CLIA”), International Chamber of Shipping (“ICS”), International Association of Dry Cargo Shipowners (“INTERCARGO”), and International Association of Independent Tanker Owners (“INTERTANKO”), serve as a new standard for protecting shipboard systems, and the Interim
Guidelines on Maritime Cyber Risk Management, adopted by the International Maritime Organization (“IMO”), have become the new benchmark for best cybersecurity practices for the maritime industry. While these new guidelines and best practices help to manage cyber risk, the maritime industry could benefit from additional reporting and information sharing practices.

As the maritime industry continues to seek opportunities to manage cyber risk, CISA provides a new opportunity to exchange and receive cyber threat information in a secure environment surrounded by legal protections. Consequently, maritime clients seeking options for enhancing current cybersecurity measures should view CISA and participation in AIS as a legitimate option to supplement other best practices, and notably, one that allows for anonymous and voluntary reporting. However, careful consideration should be given to the benefits and risks associated with participation, including strategic decisions relating to anonymity and the content that is exchanged. As clients strive for ways to minimize cyber risk, it would be prudent to have counsel involved as part of the team to guide clients navigating CISA and assist with developing comprehensive cyber risk management strategies in an effort to minimize liabilities.