SlideShare a Scribd company logo

Module II Week 6 Lesson 12.pptx

Download as PPTX, PDF
C
ChayaSorir

CISA aims to facilitate voluntary cybersecurity information sharing between private and public entities. It establishes procedures for sharing cyber threat indicators and defensive measures through Automated Indicator Sharing, and provides liability protection for entities that share information for permitted cybersecurity purposes. CISA also addresses issues relating to classified, unclassified, and declassified information, as well as antitrust and privacy considerations regarding shared information.

Education
1 of 31
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Module II Week 6: Cyber Governance – Cybersecurity Information Sharing Act of 2015 Lesson 12: Cybersecurity Information Sharing Lesson Author: Anne Toomey McKenna, Distinguished Scholar of Cyber Law & Policy, Penn State's Dickinson Law and Institute for CyberScience. The author wishes to thank Penn State Law students Ylli Dautaj and Ann Mallison for their assistance with this lesson.
Lesson outline: Cybersecurity Information Sharing Act 2015 1. CISA Overview 2. Changes Mandated or Facilitated by CISA a. Cyber Security Threat and Means of Sharing b. AIS c. CTIs and DMs. 3. Classified, Declassified, and Unclassified CITs and DMs 4. Information Sharing Guidelines 5. Antitrust and Privacy and Civil Liberties
Learning Outcomes: Cybersecurity Information Sharing Act 2015 Upon completion of this lesson, students will be able to: • Identify the purpose of Cybersecurity Information Sharing and CISA. • Understand the procedure of automated indicator sharing and what cyber threat indicators and defensive measures are. • Begin to understand the basic legal framework of CISA. • Determine public concerns with information sharing. • Identify the distinction between classified, declassified, and unclassified information sharing.
CISA Overview The Cybersecurity Act of 2015 was signed on December 18, 2015. CISA is the result of the President and Congress’s mandate to the Intelligence Community to create a more integrated infrastructure where information is routinely shared. (See United States Intelligence Community, Information Sharing Strategy (February 22, 2008) The purpose is to facilitate voluntary cybersecurity information sharing in order to prevent, among other things, data breaches while removing fear of liability for private and public enterprises. CISA authorizes conduct, but does not necessarily prohibit conduct other than through definitions. The central pillars are “voluntary sharing” and “liability protection.”1 1. 6 U.S.C. §§ 1501-1510
CISA2: Structure of the Act • 102 – Definitions. • 103 – Sharing Information by the Federal Government. • Joint Procedures: • National Intelligence • Secretary of Homeland Security • Secretary of Defense • Attorney General. • 104 – Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats. • Monitoring • Operate defensive measures • Share and receive cyber threat information • Personal information removal. • 105 – Sharing of Cyber Threat Indicators and Defensive Measures with the Federal Government. 2. CISA, Section 102-105
CISA3: Structure of the Act (cont.) • 106 – Protection from Liability. • Data Breach Laws. • 107 – Oversight of Government Activities. • Reports and Recommendations. • 108 – Construction and Preemption. • Whistleblower protection • Lawful Disclosure • Relationship to other laws • Constitutional protection in criminal prosecution • Regulatory authorities. • 109 – Report on Cybersecurity Threats. • Requirements. • 110 – Exception to Limitation on Authority of Secretary of Defense to Disseminate Certain Information. • Secretary of Defense. 3. CISA, Section 106-110
Changes Mandated or Facilitated by CISA • Automated Indicator Sharing (AIS) • DHS managed means for information sharing • Initiative that arose from CISA • CISA grants liability protection to companies sharing information through AIS • Light speed sharing • Sharing CTIs and DMs among federal and non-federal entities • Cyber Threat Indicators (CTIs) • Defensive Measures (DMs)
AIS: Automated Indicator Sharing AIS enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed, and provides for anonymity. An entity can e-mail cyber threat indicators and defensive measures to DHS at: ncciccustomerservice@hq.dhs.gov. Privacy protection – AIS processes protect personally identifiable information (PII). Entities who participate include: Private sector entities Federal departments and agencies State, local, tribal, and territorial governments Information Sharing and Analysis Centers (ISACs) Information Sharing and Analysis Organizations (ISAOs)
CTIs: Cyber Threat Indicators A “cyber threat indicator” means information that is “necessary to describe or identify” a variety of listed threats, including “malicious reconnaissance” and methods of exploiting a security vulnerability or causing a legitimate user to unwittingly enable such exploitation. Also included is information on the “actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat.”4 4. CISA, Section 102(6)
CTIs: Cyber Threat Indicator Information • Some Information Necessary to Describe: • Malicious Reconnaissance • Exploitation of a Security Vulnerability • Defeat of Security Controls • Malicious Cyber Command and Control • Harm Caused by an Incident • Other Attribute of a Cybersecurity Threat. • Examples: • File Hashes • Malicious URLs • Technical Characteristics of Malware.
DMs: Defensive Measures “CISA defines a ’defensive measure’ as ’an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.’”5 5. CISA, Section 102 (7)(A)
Purpose of CISA: Assessment What is the purpose of CISA? A. Facilitate voluntary cybersecurity information sharing B. Provide for information sharing between U.S. and foreign nationals C. Implement the President’s Executive Order on immigration data gathering D. Mandate private sector sharing of CTI and DM with government
Purpose of CISA: Assessment Answer What is the purpose of CISA? A. Facilitate voluntary cybersecurity information sharing B. Provide for information sharing between U.S. and foreign nationals C. Implement the President’s Executive Order on immigration data gathering D. Mandate private sector sharing of CTI and DM with government
CTIs and DMs: Assessment What answer best describes a CTI and a DM? A. Incident and preventive behavior B. Malicious URLs and technique that detects known cybersecurity threat C. Virus and firewall D. Data breach and software updates
CTIs and DMs: Assessment Answer What answer best describes a CTI and a DM? A. Incident and preventive behavior B. Malicious URLs and technique that detects known cybersecurity threat C. Virus and firewall D. Data breach and software updates
Classified, Declassified, and Unclassified CITs and DMs • “It is the policy of the U.S. Government to make every reasonable effort ‘to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.’”6 • Discussion: Realities versus Bureaucracy? 6. The Office of the Director of National Intelligence, The DHS, DOD, DOJ, ”Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act 2015 (February 16, 2016)
Classified CTIs & DMs7 The sharing of cyber threat information that is classified is “dependent upon the recipient’s security clearance level and must be performed in accordance with applicable policy and protection requirements for intelligence sources, methods, operations, and investigations, which are not superseded by this document. Any federal entity sharing classified information must continue to conform to existing classification standards and adhere to handling restriction…” 8 7. CISA, Section 103(a)(1) 8. The Office of the Director of National Intelligence, The DHS, DOD, DOJ, ”Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act 2015 (February 16, 2016), p.7.
Declassified CTIs & DMs:9 “To implement sharing CTIs, DMs, and information relating to cybersecurity threats in their possession that may be declassified and shared at an unclassified level, federal entities are encouraged to downgrade, declassify, sanitize or make use of tearlines to ensure dissemination of cyber threat information to the maximum extent possible.” 10 9. CISA, Section 103(a)(2) 10. The Office of the Director of National Intelligence, The DHS, DOD, DOJ, ”Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act 2015 (February 16, 2016), p.9.
Unclassified CTIs & DMs:11 ”In general, federal entities should make unclassified CTIs and DMs broadly available to each other and to non-federal entities, subject to any specific handling instructions associated with a particular CTI or DM. To the extent a federal entity receives a CTI or DM from a non- federal entity in a manner other than the real-time process described in Section 105(c) of CISA, the recipient federal entity shall share such CTI or DM with each appropriate federal entity as quickly as operationally practicable, consistent with applicable law and the mission of those entities.”12 11. CISA, Section 103(a)(3) 12. The Office of the Director of National Intelligence, The DHS, DOD, DOJ, ”Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act 2015 (February 16, 2016), p.10.
Sharing Unclassified Material: Assessment What is the policy of the U.S. Government vis-á-vis unclassified reports? A. To make sure that the reports are unclassified B. To make every reasonable effort to ensure the timely production of cyber threats C. To declassify the material and report it timely thereafter
Sharing Unclassified Material: Assessment Answer What is the policy of the U.S. Government vis-á-vis unclassified reports? A. To make sure that the reports are unclassified B. To make every reasonable effort to ensure the timely production of cyber threats C. To declassify the material and report it timely thereafter
Information Sharing Structure • Means of Sharing: • Industry and Government: • Authorizes companies to share cyber threat and defensive measures • DHS sharing with federal agencies • Between Private Entities • Formal or Informal Exchange Agreements • Structured or Unstructured
Information Sharing Only for Cybersecurity Purposes: A cybersecurity threat is “any action that may result in unauthorized access to, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information stored on or transiting an information system, or unauthorized exfiltration of information stored on or transiting an information system.”13 Liability Protection Review and Remove prior to sharing cyber threat indicator that may contain personal information 13. Department of Justice and Federal Trade Commission: Antitrust Policy Statement on Sharing of Cybersecurity Information (footnote 4)
Information Sharing: Government & Private Sector and Federal & State Governments When sharing CTIs and DMs with the federal government, the information must be shared in accordance with Section 105(c) (DHS procedure) for the private entity to receive liability protection under Section 106. An entity can receive liability protection pursuant to the exceptions for a communication between regulated non-federal authorities and its regulatory federal authority.14 If there is no liability protection, but the information still fulfills other requirements pursuant to CISA, the information shared with the federal government may still qualify for other protection, e.g. non- waiver of privilege and non-disclosure under the Freedom of Information Act (FOIA). May share CTIs and DMs through AIS, Web form, Email, or other information sharing programs. 14. See Section 105(c)(1)(B)(ii)
Information Sharing: PII Companies that share CTIs must remove any PII information that the company knows at the time of sharing (or else that identifies a specific individual) and is “not directly related to a cybersecurity threat.” Companies should otherwise implement a “technical capacity” to remove such information.15 Example of PII that must be removed: • Consumer history • Financial information • Health information that is protected. 15. CISA, Sections 104(d)(2)(A) and (B).
CISA & Antitrust Concerns: • Price Fixing Concerns • Competitive Coordination. Mitigating Concerns:16 • Information Sharing Agreements and the Rule of Reason Analysis • The Agencies consider in their evaluation of shared information the nature and detail of the information disclosed and the extent to which sensitive information is likely to be disclosed to competitors. • Typically the information shared is more technical in nature • Sharing can help secure networks 16. CISA, Section 104(e)(1) and (2)
CISA: Privacy and Civil Liberties • Review and Remove prior to sharing cyber threat indicator that may contain personal information. • Technical Capabilities. • Not Directly Related to a Cybersecurity Threat. • Criminal Liability Forfeiture. • Fair Information Practice Principles (FIPPs): • Used in evaluating and considering systems, processes, or programs that might affect individual privacy • Receipt • Use – see Section 105(d)(5). • Retention – see Section 105(d)(5)(A). • Dissemination – see Section 103(b)(1)(E). • Review cyber threat indicator to assess whether it contains information not directly related to a cybersecurity threat and to remove such personal information that is not directly relevant.
CISA Discussion: Antitrust and Privacy and Civil Liberties • What are data breach laws and their underlying purposes? • What kind of personal information is in harms ways? • Debate if the government is punishing poor handling of private information versus liability protection for preventive and public interest purposes?
CISA: Legal Review CISA overrides federal and state laws that prohibits – or restricts – voluntary disclosure. CISA authorizes a private entity to share cyber threat indicators and defensive measures with other private entities. Liability Protection – also for information shared with ISAOs, ISACs and other federal agencies or law enforcement. CISA does not interfere with voluntary or legally compelled disclosure or participation. FOIA and Sunshine Laws Exemption Waiver against privileges.
Legal Overview: Assessment What does CISA provide for? Choose two. 1. CISA overrides federal and state laws that prohibits – or restricts – voluntary disclosure 2. CISA interferes with voluntary and legally compelled disclosure or participation 3. CISA does not override federal and state laws 4. CISA does not interfere with voluntary or legally compelled disclosure or participation
Image Attribution The images on the following slides are from Pixabay (https://pixabay.com), and per the website: “All images and videos on Pixabay are released under the Creative Commons CC0. Thus, they may be used freely for almost any purpose - even commercially and in printed format. Attribution is appreciated, but not required.)”17 • Slides 2-23 • Slides 25-30 17. https://pixabay.com/en/blog/posts/public-domain-images-what-is-allowed-and-what-is-4/

Recommended

Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesTam Nguyen
 
Cyber security-in-india-present-status
Cyber security-in-india-present-statusCyber security-in-india-present-status
Cyber security-in-india-present-statusRama Reddy
 
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachLegal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachDawn Yankeelov
 
New York Washington, D.C. Los Angeles Palo.docx
New York Washington, D.C. Los Angeles Palo.docx New York Washington, D.C. Los Angeles Palo.docx
New York Washington, D.C. Los Angeles Palo.docxgertrudebellgrove
 
Protection and immunity under Cybersecurity Information Sharing Act
Protection and immunity under Cybersecurity Information Sharing ActProtection and immunity under Cybersecurity Information Sharing Act
Protection and immunity under Cybersecurity Information Sharing ActDavid Sweigert
 
Comprehensive U.S. Cyber Framework Final Report
Comprehensive U.S. Cyber Framework Final ReportComprehensive U.S. Cyber Framework Final Report
Comprehensive U.S. Cyber Framework Final ReportLandon Harrell
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsDavid Sweigert
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 

Recommended

Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesTam Nguyen
 
Cyber security-in-india-present-status
Cyber security-in-india-present-statusCyber security-in-india-present-status
Cyber security-in-india-present-statusRama Reddy
 
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachLegal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachDawn Yankeelov
 
New York Washington, D.C. Los Angeles Palo.docx
New York Washington, D.C. Los Angeles Palo.docx New York Washington, D.C. Los Angeles Palo.docx
New York Washington, D.C. Los Angeles Palo.docxgertrudebellgrove
 
Protection and immunity under Cybersecurity Information Sharing Act
Protection and immunity under Cybersecurity Information Sharing ActProtection and immunity under Cybersecurity Information Sharing Act
Protection and immunity under Cybersecurity Information Sharing ActDavid Sweigert
 
Comprehensive U.S. Cyber Framework Final Report
Comprehensive U.S. Cyber Framework Final ReportComprehensive U.S. Cyber Framework Final Report
Comprehensive U.S. Cyber Framework Final ReportLandon Harrell
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsDavid Sweigert
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 
Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Chuck Brooks
 
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115James Bryce Clark
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015Robert Craig
 
Information security
Information securityInformation security
Information securityOnkar Sule
 
Cybersecurity environment in malaysia and the function of internal auditor
Cybersecurity environment in malaysia and the function of internal auditorCybersecurity environment in malaysia and the function of internal auditor
Cybersecurity environment in malaysia and the function of internal auditorKhalizan Halid
 
28658043 cyber-terrorism
28658043 cyber-terrorism28658043 cyber-terrorism
28658043 cyber-terrorismDharani Adusumalli
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challengemsdee3362
 
Cybercrime Surveillance.docx
Cybercrime Surveillance.docxCybercrime Surveillance.docx
Cybercrime Surveillance.docxPelorusTechnologies
 
Achieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyAchieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyShiva Bissessar
 
Cyber Security for Oil and Gas
Cyber Security for Oil and Gas Cyber Security for Oil and Gas
Cyber Security for Oil and Gas mariaidga
 
Abhishek kurre.pptx
Abhishek kurre.pptxAbhishek kurre.pptx
Abhishek kurre.pptxDolchandra
 
Securing Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonSecuring Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonEljay Robertson
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challengemsdee3362
 
Chapter 1 - Introduction.pdf
Chapter 1 - Introduction.pdfChapter 1 - Introduction.pdf
Chapter 1 - Introduction.pdfEthioDotNetDeveloper
 
June 16 2015 P&S Update Webinar
June 16 2015 P&S Update WebinarJune 16 2015 P&S Update Webinar
June 16 2015 P&S Update WebinarMichael R Geske
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1stevemeltzer
 
Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...
Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...
Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...James Bryce Clark
 
Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsCybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsShawn Tuma
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 
Benefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational ResourcesBenefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational Resourcesdimpy50
 
How to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleHow to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleCeline George
 

More Related Content

Similar to Module II Week 6 Lesson 12.pptx

Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Chuck Brooks
 
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115James Bryce Clark
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015Robert Craig
 
Information security
Information securityInformation security
Information securityOnkar Sule
 
Cybersecurity environment in malaysia and the function of internal auditor
Cybersecurity environment in malaysia and the function of internal auditorCybersecurity environment in malaysia and the function of internal auditor
Cybersecurity environment in malaysia and the function of internal auditorKhalizan Halid
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challengemsdee3362
 
Achieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyAchieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyShiva Bissessar
 
Cyber Security for Oil and Gas
Cyber Security for Oil and Gas Cyber Security for Oil and Gas
Cyber Security for Oil and Gas mariaidga
 
Abhishek kurre.pptx
Abhishek kurre.pptxAbhishek kurre.pptx
Abhishek kurre.pptxDolchandra
 
Securing Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonSecuring Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonEljay Robertson
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challengemsdee3362
 
June 16 2015 P&S Update Webinar
June 16 2015 P&S Update WebinarJune 16 2015 P&S Update Webinar
June 16 2015 P&S Update WebinarMichael R Geske
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1stevemeltzer
 
Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...
Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...
Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...James Bryce Clark
 
Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsCybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsShawn Tuma
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 

Similar to Module II Week 6 Lesson 12.pptx (20)

Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...
 
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
 
Information security
Information securityInformation security
Information security
 
Cybersecurity environment in malaysia and the function of internal auditor
Cybersecurity environment in malaysia and the function of internal auditorCybersecurity environment in malaysia and the function of internal auditor
Cybersecurity environment in malaysia and the function of internal auditor
 
28658043 cyber-terrorism
28658043 cyber-terrorism28658043 cyber-terrorism
28658043 cyber-terrorism
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
 
Cybercrime Surveillance.docx
Cybercrime Surveillance.docxCybercrime Surveillance.docx
Cybercrime Surveillance.docx
 
Achieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyAchieving Caribbean Cybersecuirty
Achieving Caribbean Cybersecuirty
 
Cyber Security for Oil and Gas
Cyber Security for Oil and Gas Cyber Security for Oil and Gas
Cyber Security for Oil and Gas
 
Abhishek kurre.pptx
Abhishek kurre.pptxAbhishek kurre.pptx
Abhishek kurre.pptx
 
Securing Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonSecuring Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay Robertson
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challenge
 
Chapter 1 - Introduction.pdf
Chapter 1 - Introduction.pdfChapter 1 - Introduction.pdf
Chapter 1 - Introduction.pdf
 
June 16 2015 P&S Update Webinar
June 16 2015 P&S Update WebinarJune 16 2015 P&S Update Webinar
June 16 2015 P&S Update Webinar
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1
 
Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...
Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...
Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...
 
Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsCybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection
 

Recently uploaded

Benefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational ResourcesBenefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational Resourcesdimpy50
 
How to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleHow to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleCeline George
 
Sectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfSectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfVivekanand Anglo Vedic Academy
 
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptxJose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptxricssacare
 
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.pptBasic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.pptSourabh Kumar
 
slides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptxslides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptxCapitolTechU
 
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxMARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxbennyroshan06
 
How to Break the cycle of negative Thoughts
How to Break the cycle of negative ThoughtsHow to Break the cycle of negative Thoughts
How to Break the cycle of negative ThoughtsCol Mukteshwar Prasad
 
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...Denish Jangid
 
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...Nguyen Thanh Tu Collection
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfTamralipta Mahavidyalaya
 
Forest and Wildlife Resources Class 10 Free Study Material PDF
Forest and Wildlife Resources Class 10 Free Study Material PDFForest and Wildlife Resources Class 10 Free Study Material PDF
Forest and Wildlife Resources Class 10 Free Study Material PDFVivekanand Anglo Vedic Academy
 
The Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational ResourcesThe Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational Resourcesaileywriter
 
Salient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxSalient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxakshayaramakrishnan21
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chipsGeoBlogs
 
2024_Student Session 2_ Set Plan Preparation.pptx
2024_Student Session 2_ Set Plan Preparation.pptx2024_Student Session 2_ Set Plan Preparation.pptx
2024_Student Session 2_ Set Plan Preparation.pptxmansk2
 
Gyanartha SciBizTech Quiz slideshare.pptx
Gyanartha SciBizTech Quiz slideshare.pptxGyanartha SciBizTech Quiz slideshare.pptx
Gyanartha SciBizTech Quiz slideshare.pptxShibin Azad
 
NLC-2024-Orientation-for-RO-SDO (1).pptx
NLC-2024-Orientation-for-RO-SDO (1).pptxNLC-2024-Orientation-for-RO-SDO (1).pptx
NLC-2024-Orientation-for-RO-SDO (1).pptxssuserbdd3e8
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxRaedMohamed3
 

Recently uploaded (20)

Benefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational ResourcesBenefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational Resources
 
How to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleHow to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS Module
 
Sectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfSectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdf
 
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptxJose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
 
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.pptBasic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
 
slides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptxslides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptx
 
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxMARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
 
Ethnobotany and Ethnopharmacology ......
Ethnobotany and Ethnopharmacology ......Ethnobotany and Ethnopharmacology ......
Ethnobotany and Ethnopharmacology ......
 
How to Break the cycle of negative Thoughts
How to Break the cycle of negative ThoughtsHow to Break the cycle of negative Thoughts
How to Break the cycle of negative Thoughts
 
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
 
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
 
Forest and Wildlife Resources Class 10 Free Study Material PDF
Forest and Wildlife Resources Class 10 Free Study Material PDFForest and Wildlife Resources Class 10 Free Study Material PDF
Forest and Wildlife Resources Class 10 Free Study Material PDF
 
The Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational ResourcesThe Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational Resources
 
Salient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxSalient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptx
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chips
 
2024_Student Session 2_ Set Plan Preparation.pptx
2024_Student Session 2_ Set Plan Preparation.pptx2024_Student Session 2_ Set Plan Preparation.pptx
2024_Student Session 2_ Set Plan Preparation.pptx
 
Gyanartha SciBizTech Quiz slideshare.pptx
Gyanartha SciBizTech Quiz slideshare.pptxGyanartha SciBizTech Quiz slideshare.pptx
Gyanartha SciBizTech Quiz slideshare.pptx
 
NLC-2024-Orientation-for-RO-SDO (1).pptx
NLC-2024-Orientation-for-RO-SDO (1).pptxNLC-2024-Orientation-for-RO-SDO (1).pptx
NLC-2024-Orientation-for-RO-SDO (1).pptx
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 

Module II Week 6 Lesson 12.pptx

  • 1. This document is licensed with a Creative Commons Attribution 4.0 International License ©2017 Module II Week 6: Cyber Governance – Cybersecurity Information Sharing Act of 2015 Lesson 12: Cybersecurity Information Sharing Lesson Author: Anne Toomey McKenna, Distinguished Scholar of Cyber Law & Policy, Penn State's Dickinson Law and Institute for CyberScience. The author wishes to thank Penn State Law students Ylli Dautaj and Ann Mallison for their assistance with this lesson.
  • 2. Lesson outline: Cybersecurity Information Sharing Act 2015 1. CISA Overview 2. Changes Mandated or Facilitated by CISA a. Cyber Security Threat and Means of Sharing b. AIS c. CTIs and DMs. 3. Classified, Declassified, and Unclassified CITs and DMs 4. Information Sharing Guidelines 5. Antitrust and Privacy and Civil Liberties
  • 3. Learning Outcomes: Cybersecurity Information Sharing Act 2015 Upon completion of this lesson, students will be able to: • Identify the purpose of Cybersecurity Information Sharing and CISA. • Understand the procedure of automated indicator sharing and what cyber threat indicators and defensive measures are. • Begin to understand the basic legal framework of CISA. • Determine public concerns with information sharing. • Identify the distinction between classified, declassified, and unclassified information sharing.
  • 4. CISA Overview The Cybersecurity Act of 2015 was signed on December 18, 2015. CISA is the result of the President and Congress’s mandate to the Intelligence Community to create a more integrated infrastructure where information is routinely shared. (See United States Intelligence Community, Information Sharing Strategy (February 22, 2008) The purpose is to facilitate voluntary cybersecurity information sharing in order to prevent, among other things, data breaches while removing fear of liability for private and public enterprises. CISA authorizes conduct, but does not necessarily prohibit conduct other than through definitions. The central pillars are “voluntary sharing” and “liability protection.”1 1. 6 U.S.C. §§ 1501-1510
  • 5. CISA2: Structure of the Act • 102 – Definitions. • 103 – Sharing Information by the Federal Government. • Joint Procedures: • National Intelligence • Secretary of Homeland Security • Secretary of Defense • Attorney General. • 104 – Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats. • Monitoring • Operate defensive measures • Share and receive cyber threat information • Personal information removal. • 105 – Sharing of Cyber Threat Indicators and Defensive Measures with the Federal Government. 2. CISA, Section 102-105
  • 6. CISA3: Structure of the Act (cont.) • 106 – Protection from Liability. • Data Breach Laws. • 107 – Oversight of Government Activities. • Reports and Recommendations. • 108 – Construction and Preemption. • Whistleblower protection • Lawful Disclosure • Relationship to other laws • Constitutional protection in criminal prosecution • Regulatory authorities. • 109 – Report on Cybersecurity Threats. • Requirements. • 110 – Exception to Limitation on Authority of Secretary of Defense to Disseminate Certain Information. • Secretary of Defense. 3. CISA, Section 106-110
  • 7. Changes Mandated or Facilitated by CISA • Automated Indicator Sharing (AIS) • DHS managed means for information sharing • Initiative that arose from CISA • CISA grants liability protection to companies sharing information through AIS • Light speed sharing • Sharing CTIs and DMs among federal and non-federal entities • Cyber Threat Indicators (CTIs) • Defensive Measures (DMs)
  • 8. AIS: Automated Indicator Sharing AIS enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed, and provides for anonymity. An entity can e-mail cyber threat indicators and defensive measures to DHS at: ncciccustomerservice@hq.dhs.gov. Privacy protection – AIS processes protect personally identifiable information (PII). Entities who participate include: Private sector entities Federal departments and agencies State, local, tribal, and territorial governments Information Sharing and Analysis Centers (ISACs) Information Sharing and Analysis Organizations (ISAOs)
  • 9. CTIs: Cyber Threat Indicators A “cyber threat indicator” means information that is “necessary to describe or identify” a variety of listed threats, including “malicious reconnaissance” and methods of exploiting a security vulnerability or causing a legitimate user to unwittingly enable such exploitation. Also included is information on the “actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat.”4 4. CISA, Section 102(6)
  • 10. CTIs: Cyber Threat Indicator Information • Some Information Necessary to Describe: • Malicious Reconnaissance • Exploitation of a Security Vulnerability • Defeat of Security Controls • Malicious Cyber Command and Control • Harm Caused by an Incident • Other Attribute of a Cybersecurity Threat. • Examples: • File Hashes • Malicious URLs • Technical Characteristics of Malware.
  • 11. DMs: Defensive Measures “CISA defines a ’defensive measure’ as ’an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.’”5 5. CISA, Section 102 (7)(A)
  • 12. Purpose of CISA: Assessment What is the purpose of CISA? A. Facilitate voluntary cybersecurity information sharing B. Provide for information sharing between U.S. and foreign nationals C. Implement the President’s Executive Order on immigration data gathering D. Mandate private sector sharing of CTI and DM with government
  • 13. Purpose of CISA: Assessment Answer What is the purpose of CISA? A. Facilitate voluntary cybersecurity information sharing B. Provide for information sharing between U.S. and foreign nationals C. Implement the President’s Executive Order on immigration data gathering D. Mandate private sector sharing of CTI and DM with government
  • 14. CTIs and DMs: Assessment What answer best describes a CTI and a DM? A. Incident and preventive behavior B. Malicious URLs and technique that detects known cybersecurity threat C. Virus and firewall D. Data breach and software updates
  • 15. CTIs and DMs: Assessment Answer What answer best describes a CTI and a DM? A. Incident and preventive behavior B. Malicious URLs and technique that detects known cybersecurity threat C. Virus and firewall D. Data breach and software updates
  • 16. Classified, Declassified, and Unclassified CITs and DMs • “It is the policy of the U.S. Government to make every reasonable effort ‘to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.’”6 • Discussion: Realities versus Bureaucracy? 6. The Office of the Director of National Intelligence, The DHS, DOD, DOJ, ”Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act 2015 (February 16, 2016)
  • 17. Classified CTIs & DMs7 The sharing of cyber threat information that is classified is “dependent upon the recipient’s security clearance level and must be performed in accordance with applicable policy and protection requirements for intelligence sources, methods, operations, and investigations, which are not superseded by this document. Any federal entity sharing classified information must continue to conform to existing classification standards and adhere to handling restriction…” 8 7. CISA, Section 103(a)(1) 8. The Office of the Director of National Intelligence, The DHS, DOD, DOJ, ”Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act 2015 (February 16, 2016), p.7.
  • 18. Declassified CTIs & DMs:9 “To implement sharing CTIs, DMs, and information relating to cybersecurity threats in their possession that may be declassified and shared at an unclassified level, federal entities are encouraged to downgrade, declassify, sanitize or make use of tearlines to ensure dissemination of cyber threat information to the maximum extent possible.” 10 9. CISA, Section 103(a)(2) 10. The Office of the Director of National Intelligence, The DHS, DOD, DOJ, ”Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act 2015 (February 16, 2016), p.9.
  • 19. Unclassified CTIs & DMs:11 ”In general, federal entities should make unclassified CTIs and DMs broadly available to each other and to non-federal entities, subject to any specific handling instructions associated with a particular CTI or DM. To the extent a federal entity receives a CTI or DM from a non- federal entity in a manner other than the real-time process described in Section 105(c) of CISA, the recipient federal entity shall share such CTI or DM with each appropriate federal entity as quickly as operationally practicable, consistent with applicable law and the mission of those entities.”12 11. CISA, Section 103(a)(3) 12. The Office of the Director of National Intelligence, The DHS, DOD, DOJ, ”Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act 2015 (February 16, 2016), p.10.
  • 20. Sharing Unclassified Material: Assessment What is the policy of the U.S. Government vis-á-vis unclassified reports? A. To make sure that the reports are unclassified B. To make every reasonable effort to ensure the timely production of cyber threats C. To declassify the material and report it timely thereafter
  • 21. Sharing Unclassified Material: Assessment Answer What is the policy of the U.S. Government vis-á-vis unclassified reports? A. To make sure that the reports are unclassified B. To make every reasonable effort to ensure the timely production of cyber threats C. To declassify the material and report it timely thereafter
  • 22. Information Sharing Structure • Means of Sharing: • Industry and Government: • Authorizes companies to share cyber threat and defensive measures • DHS sharing with federal agencies • Between Private Entities • Formal or Informal Exchange Agreements • Structured or Unstructured
  • 23. Information Sharing Only for Cybersecurity Purposes: A cybersecurity threat is “any action that may result in unauthorized access to, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information stored on or transiting an information system, or unauthorized exfiltration of information stored on or transiting an information system.”13 Liability Protection Review and Remove prior to sharing cyber threat indicator that may contain personal information 13. Department of Justice and Federal Trade Commission: Antitrust Policy Statement on Sharing of Cybersecurity Information (footnote 4)
  • 24. Information Sharing: Government & Private Sector and Federal & State Governments When sharing CTIs and DMs with the federal government, the information must be shared in accordance with Section 105(c) (DHS procedure) for the private entity to receive liability protection under Section 106. An entity can receive liability protection pursuant to the exceptions for a communication between regulated non-federal authorities and its regulatory federal authority.14 If there is no liability protection, but the information still fulfills other requirements pursuant to CISA, the information shared with the federal government may still qualify for other protection, e.g. non- waiver of privilege and non-disclosure under the Freedom of Information Act (FOIA). May share CTIs and DMs through AIS, Web form, Email, or other information sharing programs. 14. See Section 105(c)(1)(B)(ii)
  • 25. Information Sharing: PII Companies that share CTIs must remove any PII information that the company knows at the time of sharing (or else that identifies a specific individual) and is “not directly related to a cybersecurity threat.” Companies should otherwise implement a “technical capacity” to remove such information.15 Example of PII that must be removed: • Consumer history • Financial information • Health information that is protected. 15. CISA, Sections 104(d)(2)(A) and (B).
  • 26. CISA & Antitrust Concerns: • Price Fixing Concerns • Competitive Coordination. Mitigating Concerns:16 • Information Sharing Agreements and the Rule of Reason Analysis • The Agencies consider in their evaluation of shared information the nature and detail of the information disclosed and the extent to which sensitive information is likely to be disclosed to competitors. • Typically the information shared is more technical in nature • Sharing can help secure networks 16. CISA, Section 104(e)(1) and (2)
  • 27. CISA: Privacy and Civil Liberties • Review and Remove prior to sharing cyber threat indicator that may contain personal information. • Technical Capabilities. • Not Directly Related to a Cybersecurity Threat. • Criminal Liability Forfeiture. • Fair Information Practice Principles (FIPPs): • Used in evaluating and considering systems, processes, or programs that might affect individual privacy • Receipt • Use – see Section 105(d)(5). • Retention – see Section 105(d)(5)(A). • Dissemination – see Section 103(b)(1)(E). • Review cyber threat indicator to assess whether it contains information not directly related to a cybersecurity threat and to remove such personal information that is not directly relevant.
  • 28. CISA Discussion: Antitrust and Privacy and Civil Liberties • What are data breach laws and their underlying purposes? • What kind of personal information is in harms ways? • Debate if the government is punishing poor handling of private information versus liability protection for preventive and public interest purposes?
  • 29. CISA: Legal Review CISA overrides federal and state laws that prohibits – or restricts – voluntary disclosure. CISA authorizes a private entity to share cyber threat indicators and defensive measures with other private entities. Liability Protection – also for information shared with ISAOs, ISACs and other federal agencies or law enforcement. CISA does not interfere with voluntary or legally compelled disclosure or participation. FOIA and Sunshine Laws Exemption Waiver against privileges.
  • 30. Legal Overview: Assessment What does CISA provide for? Choose two. 1. CISA overrides federal and state laws that prohibits – or restricts – voluntary disclosure 2. CISA interferes with voluntary and legally compelled disclosure or participation 3. CISA does not override federal and state laws 4. CISA does not interfere with voluntary or legally compelled disclosure or participation
  • 31. Image Attribution The images on the following slides are from Pixabay (https://pixabay.com), and per the website: “All images and videos on Pixabay are released under the Creative Commons CC0. Thus, they may be used freely for almost any purpose - even commercially and in printed format. Attribution is appreciated, but not required.)”17 • Slides 2-23 • Slides 25-30 17. https://pixabay.com/en/blog/posts/public-domain-images-what-is-allowed-and-what-is-4/

Editor's Notes

  1. Privacy protection – AIS processes to protect personally identifiable information (PII): Automated analyses and technical mitigations Incorporate elements of human review Minimize data to be directly relevant to a cyber threat and retain information needed only Collect information for network defense only, or for limited law enforcement purposes
  2. .
  3. Each is discussed in subsequent slides.
  4. Each is discussed in subsequent slides.
  5. Section 105(d)(5)) (Use) Section 105(d)(5)(A) (Retention)