CISA aims to facilitate voluntary cybersecurity information sharing between private and public entities. It establishes procedures for sharing cyber threat indicators and defensive measures through Automated Indicator Sharing, and provides liability protection for entities that share information for permitted cybersecurity purposes. CISA also addresses issues relating to classified, unclassified, and declassified information, as well as antitrust and privacy considerations regarding shared information.
2. Lesson outline: Cybersecurity Information
Sharing Act 2015
1. CISA Overview
2. Changes Mandated or Facilitated by CISA
a. Cyber Security Threat and Means of Sharing
b. AIS
c. CTIs and DMs.
3. Classified, Declassified, and Unclassified CITs and DMs
4. Information Sharing Guidelines
5. Antitrust and Privacy and Civil Liberties
3. Learning Outcomes: Cybersecurity
Information Sharing Act 2015
Upon completion of this lesson, students will be able to:
• Identify the purpose of Cybersecurity Information Sharing and CISA.
• Understand the procedure of automated indicator sharing and what
cyber threat indicators and defensive measures are.
• Begin to understand the basic legal framework of CISA.
• Determine public concerns with information sharing.
• Identify the distinction between classified, declassified, and unclassified
information sharing.
4. CISA Overview
The Cybersecurity Act of 2015 was signed on December 18, 2015.
CISA is the result of the President and Congress’s mandate to the
Intelligence Community to create a more integrated infrastructure
where information is routinely shared. (See United States Intelligence
Community, Information Sharing Strategy (February 22, 2008)
The purpose is to facilitate voluntary cybersecurity information sharing
in order to prevent, among other things, data breaches while removing
fear of liability for private and public enterprises.
CISA authorizes conduct, but does not necessarily prohibit conduct
other than through definitions. The central pillars are “voluntary
sharing” and “liability protection.”1
1. 6 U.S.C. §§ 1501-1510
5. CISA2: Structure of the Act
• 102 – Definitions.
• 103 – Sharing Information by the Federal Government.
• Joint Procedures:
• National Intelligence
• Secretary of Homeland Security
• Secretary of Defense
• Attorney General.
• 104 – Authorizations for Preventing, Detecting, Analyzing, and
Mitigating Cybersecurity Threats.
• Monitoring
• Operate defensive measures
• Share and receive cyber threat information
• Personal information removal.
• 105 – Sharing of Cyber Threat Indicators and Defensive Measures
with the Federal Government.
2. CISA, Section 102-105
6. CISA3: Structure of the Act (cont.)
• 106 – Protection from Liability.
• Data Breach Laws.
• 107 – Oversight of Government Activities.
• Reports and Recommendations.
• 108 – Construction and Preemption.
• Whistleblower protection
• Lawful Disclosure
• Relationship to other laws
• Constitutional protection in criminal prosecution
• Regulatory authorities.
• 109 – Report on Cybersecurity Threats.
• Requirements.
• 110 – Exception to Limitation on Authority of Secretary of Defense to
Disseminate Certain Information.
• Secretary of Defense.
3. CISA, Section 106-110
7. Changes Mandated or Facilitated by CISA
• Automated Indicator Sharing (AIS)
• DHS managed means for information sharing
• Initiative that arose from CISA
• CISA grants liability protection to companies sharing information
through AIS
• Light speed sharing
• Sharing CTIs and DMs among federal and non-federal entities
• Cyber Threat Indicators (CTIs)
• Defensive Measures (DMs)
8. AIS: Automated Indicator Sharing
AIS enables the exchange of cyber threat indicators between the Federal
Government and the private sector at machine speed, and provides for
anonymity.
An entity can e-mail cyber threat indicators and defensive measures to
DHS at: ncciccustomerservice@hq.dhs.gov.
Privacy protection – AIS processes protect personally identifiable
information (PII).
Entities who participate include:
Private sector entities
Federal departments and agencies
State, local, tribal, and territorial governments
Information Sharing and Analysis Centers (ISACs)
Information Sharing and Analysis Organizations (ISAOs)
9. CTIs: Cyber Threat Indicators
A “cyber threat indicator” means information that is
“necessary to describe or identify” a variety of listed threats,
including “malicious reconnaissance” and methods of
exploiting a security vulnerability or causing a legitimate user
to unwittingly enable such exploitation. Also included is
information on the “actual or potential harm caused by an
incident, including a description of the information exfiltrated
as a result of a particular cybersecurity threat.”4
4. CISA, Section 102(6)
10. CTIs: Cyber Threat Indicator Information
• Some Information Necessary to Describe:
• Malicious Reconnaissance
• Exploitation of a Security Vulnerability
• Defeat of Security Controls
• Malicious Cyber Command and Control
• Harm Caused by an Incident
• Other Attribute of a Cybersecurity Threat.
• Examples:
• File Hashes
• Malicious URLs
• Technical Characteristics of Malware.
11. DMs: Defensive Measures
“CISA defines a ’defensive measure’ as ’an action, device,
procedure, signature, technique, or other measure applied to
an information system or information that is stored on,
processed by, or transiting an information system that
detects, prevents, or mitigates a known or suspected
cybersecurity threat or security vulnerability.’”5
5. CISA, Section 102 (7)(A)
12. Purpose of CISA: Assessment
What is the purpose of CISA?
A. Facilitate voluntary cybersecurity information sharing
B. Provide for information sharing between U.S. and foreign
nationals
C. Implement the President’s Executive Order on
immigration data gathering
D. Mandate private sector sharing of CTI and DM with
government
13. Purpose of CISA: Assessment Answer
What is the purpose of CISA?
A. Facilitate voluntary cybersecurity information sharing
B. Provide for information sharing between U.S. and foreign
nationals
C. Implement the President’s Executive Order on
immigration data gathering
D. Mandate private sector sharing of CTI and DM with
government
14. CTIs and DMs: Assessment
What answer best describes a CTI and a DM?
A. Incident and preventive behavior
B. Malicious URLs and technique that detects known
cybersecurity threat
C. Virus and firewall
D. Data breach and software updates
15. CTIs and DMs: Assessment Answer
What answer best describes a CTI and a DM?
A. Incident and preventive behavior
B. Malicious URLs and technique that detects known
cybersecurity threat
C. Virus and firewall
D. Data breach and software updates
16. Classified, Declassified, and Unclassified
CITs and DMs
• “It is the policy of the U.S. Government to make every
reasonable effort ‘to ensure the timely production of
unclassified reports of cyber threats to the U.S. homeland
that identify a specific targeted entity.’”6
• Discussion: Realities versus Bureaucracy?
6. The Office of the Director of National Intelligence, The DHS, DOD, DOJ, ”Sharing of Cyber Threat Indicators and Defensive Measures by the Federal
Government under the Cybersecurity Information Sharing Act 2015 (February 16, 2016)
17. Classified CTIs & DMs7
The sharing of cyber threat information that is classified is “dependent
upon the recipient’s security clearance level and must be performed in
accordance with applicable policy and protection requirements for
intelligence sources, methods, operations, and investigations, which
are not superseded by this document.
Any federal entity sharing classified information must continue to
conform to existing classification standards and adhere to handling
restriction…” 8
7. CISA, Section 103(a)(1)
8. The Office of the Director of National Intelligence, The DHS, DOD, DOJ, ”Sharing of Cyber Threat Indicators and Defensive Measures
by the Federal Government under the Cybersecurity Information Sharing Act 2015 (February 16, 2016), p.7.
18. Declassified CTIs & DMs:9
“To implement sharing CTIs, DMs, and information relating to
cybersecurity threats in their possession that may be declassified and
shared at an unclassified level, federal entities are encouraged to
downgrade, declassify, sanitize or make use of tearlines to ensure
dissemination of cyber threat information to the maximum extent
possible.” 10
9. CISA, Section 103(a)(2)
10. The Office of the Director of National Intelligence, The DHS, DOD, DOJ, ”Sharing of Cyber Threat Indicators and Defensive Measures by the
Federal Government under the Cybersecurity Information Sharing Act 2015 (February 16, 2016), p.9.
19. Unclassified CTIs & DMs:11
”In general, federal entities should make unclassified CTIs and
DMs broadly available to each other and to non-federal
entities, subject to any specific handling instructions
associated with a particular CTI or DM.
To the extent a federal entity receives a CTI or DM from a non-
federal entity in a manner other than the real-time process
described in Section 105(c) of CISA, the recipient federal
entity shall share such CTI or DM with each appropriate
federal entity as quickly as operationally practicable,
consistent with applicable law and the mission of those
entities.”12
11. CISA, Section 103(a)(3)
12. The Office of the Director of National Intelligence, The DHS, DOD, DOJ, ”Sharing of Cyber Threat Indicators and Defensive Measures by the
Federal Government under the Cybersecurity Information Sharing Act 2015 (February 16, 2016), p.10.
20. Sharing Unclassified Material: Assessment
What is the policy of the U.S. Government vis-á-vis
unclassified reports?
A. To make sure that the reports are unclassified
B. To make every reasonable effort to ensure the timely
production of cyber threats
C. To declassify the material and report it timely thereafter
21. Sharing Unclassified Material: Assessment
Answer
What is the policy of the U.S. Government vis-á-vis
unclassified reports?
A. To make sure that the reports are unclassified
B. To make every reasonable effort to ensure the timely
production of cyber threats
C. To declassify the material and report it timely thereafter
22. Information Sharing Structure
• Means of Sharing:
• Industry and Government:
• Authorizes companies to share cyber threat and defensive
measures
• DHS sharing with federal agencies
• Between Private Entities
• Formal or Informal Exchange Agreements
• Structured or Unstructured
23. Information Sharing
Only for Cybersecurity Purposes:
A cybersecurity threat is “any action that may result in
unauthorized access to, manipulation of, or impairment to the
integrity, confidentiality, or availability of an information system or
information stored on or transiting an information system, or
unauthorized exfiltration of information stored on or transiting an
information system.”13
Liability Protection
Review and Remove prior to sharing cyber threat indicator
that may contain personal information
13. Department of Justice and Federal Trade Commission: Antitrust Policy Statement on Sharing of Cybersecurity Information (footnote 4)
24. Information Sharing: Government & Private
Sector and Federal & State Governments
When sharing CTIs and DMs with the federal government, the
information must be shared in accordance with Section 105(c) (DHS
procedure) for the private entity to receive liability protection under
Section 106.
An entity can receive liability protection pursuant to the exceptions for
a communication between regulated non-federal authorities and its
regulatory federal authority.14
If there is no liability protection, but the information still fulfills other
requirements pursuant to CISA, the information shared with the
federal government may still qualify for other protection, e.g. non-
waiver of privilege and non-disclosure under the Freedom of
Information Act (FOIA).
May share CTIs and DMs through AIS, Web form, Email, or other
information sharing programs.
14. See Section 105(c)(1)(B)(ii)
25. Information Sharing: PII
Companies that share CTIs must remove any PII information
that the company knows at the time of sharing (or else that
identifies a specific individual) and is “not directly related to a
cybersecurity threat.” Companies should otherwise
implement a “technical capacity” to remove such
information.15
Example of PII that must be removed:
• Consumer history
• Financial information
• Health information that is protected.
15. CISA, Sections 104(d)(2)(A) and (B).
26. CISA & Antitrust
Concerns:
• Price Fixing Concerns
• Competitive Coordination.
Mitigating Concerns:16
• Information Sharing Agreements and the Rule of Reason Analysis
• The Agencies consider in their evaluation of shared information the
nature and detail of the information disclosed and the extent to which
sensitive information is likely to be disclosed to competitors.
• Typically the information shared is more technical in nature
• Sharing can help secure networks
16. CISA, Section 104(e)(1) and (2)
27. CISA: Privacy and Civil Liberties
• Review and Remove prior to sharing cyber threat indicator that may
contain personal information.
• Technical Capabilities.
• Not Directly Related to a Cybersecurity Threat.
• Criminal Liability Forfeiture.
• Fair Information Practice Principles (FIPPs):
• Used in evaluating and considering systems, processes, or programs that
might affect individual privacy
• Receipt
• Use – see Section 105(d)(5).
• Retention – see Section 105(d)(5)(A).
• Dissemination – see Section 103(b)(1)(E).
• Review cyber threat indicator to assess whether it contains information
not directly related to a cybersecurity threat and to remove such
personal information that is not directly relevant.
28. CISA Discussion: Antitrust and Privacy and Civil
Liberties
• What are data breach laws and their underlying purposes?
• What kind of personal information is in harms ways?
• Debate if the government is punishing poor handling of
private information versus liability protection for preventive
and public interest purposes?
29. CISA: Legal Review
CISA overrides federal and state laws that prohibits – or
restricts – voluntary disclosure.
CISA authorizes a private entity to share cyber threat
indicators and defensive measures with other private
entities.
Liability Protection – also for information shared with
ISAOs, ISACs and other federal agencies or law
enforcement.
CISA does not interfere with voluntary or legally compelled
disclosure or participation.
FOIA and Sunshine Laws Exemption
Waiver against privileges.
30. Legal Overview: Assessment
What does CISA provide for? Choose two.
1. CISA overrides federal and state laws that prohibits – or
restricts – voluntary disclosure
2. CISA interferes with voluntary and legally compelled
disclosure or participation
3. CISA does not override federal and state laws
4. CISA does not interfere with voluntary or legally
compelled disclosure or participation
31. Image Attribution
The images on the following slides are from Pixabay
(https://pixabay.com), and per the website: “All images and
videos on Pixabay are released under the Creative Commons
CC0. Thus, they may be used freely for almost any purpose -
even commercially and in printed format. Attribution is
appreciated, but not required.)”17
• Slides 2-23
• Slides 25-30
17. https://pixabay.com/en/blog/posts/public-domain-images-what-is-allowed-and-what-is-4/
Editor's Notes
Privacy protection – AIS processes to protect personally identifiable information (PII):
Automated analyses and technical mitigations
Incorporate elements of human review
Minimize data to be directly relevant to a cyber threat and retain information needed only
Collect information for network defense only, or for limited law enforcement purposes