Cybersecurity Enhancements Through CISA

‍

‍

In today’s digital world, cybersecurity is a major concern for businesses. Companies need to ensure that their data is secure and protected from potential cyberattacks. To help protect companies, the US government has passed in 2015 the so called Cybersecurity Information Sharing Act (CISA). In this article, we will discuss the Cybersecurity Information Sharing Act, the benefits of the Act, how organizations can use it to enhance their cybersecurity, and the strategies they can employ to best utilize the Act.

Introduction to the Cybersecurity Information Sharing Act

The Cybersecurity Information Sharing Act (CISA) is a US law enacted in 2015 aimed at enhancing cybersecurity by encouraging the sharing of threat intelligence and cyber security information between the government and the private sector. The act creates a framework for the sharing of cyber security-related information, and offers liability protections to companies that participate in the sharing of information. The bill was introduced in the U.S. Senate in July 2014, and passed in the Senate October 27, 2015 by a vote of 12-3. The text of the bill was incorporated by amendment into a consolidated spending bill in the U.S. House on December 15, 2015, which was signed into law by President Barack Obama on December 18, 2015 (Source: https://www.engadget.com/2015/12/18/house-senate-pass-budget-with-cisa/).

The goal of CISA is to better equip both the public and private sector in protecting against and responding to cyber threats by allowing for real-time sharing of threat data between organizations. The act has been a topic of debate among privacy advocates, who express concerns about the potential misuse of personal information, and the intelligence community, who view the act as an important tool in the fight against cybercrime.

Benefits of the Cybersecurity Information Sharing Act

The Cybersecurity Information Sharing Act provides various advantages to enterprises. First, it encourages enterprises to exchange cyber threat information with the government and other groups. This assists enterprises in better understanding the types of cyber dangers they may encounter and how to secure their networks from such attacks.

Second, the Act compels the government to furnish organizations with information on cyber dangers and vulnerabilities. This assists enterprises in better understanding the types of risks they may encounter and how to secure their networks from those threats.

Third, the Act compels the government to collaborate with enterprises to create cyber security best practices and strategies. This assists firms in developing more effective cyber security policies and plans.

Fourth, the Act requires the government to develop a mechanism that allows firms to share cyber threat information with one another. This allows organizations to learn from each other’s experiences and share their own with other organizations.

How the Cybersecurity Information Sharing Act works

The Cybersecurity Information Sharing Act works by allowing organizations to voluntarily share cyber threat information with the Department of Homeland Security and other agencies. The Act also requires the government to provide organizations with information about cyber threats and vulnerabilities.

The Act also requires the government to work with organizations to develop cybersecurity best practices and strategies. It requires the government to create a system that allows organizations to share cyber threat information with each other. This on the other side hshould help organizations learn from each other’s experiences and share their own experiences with others.

It says:

“This bill requires the Director of National Intelligence and the Departments of Homeland Security (DHS), Defense, and Justice to develop procedures to share cybersecurity threat information with private entities, nonfederal government agencies, state, tribal, and local governments, the public, and entities under threats.

To detect, prevent, or mitigate cybersecurity threats or security vulnerabilities, private entities may monitor and operate defensive measures on: (1) their own information systems; and (2) with written consent, the information systems of other private or government entities.

Liability protections are provided to entities that voluntarily share and receive cyber threat indicators and defensive measures with other entities or the government.”

It says further:

“Requires the Federal Bureau of Investigation (FBI) and the DHS Secretary to report to Congress regarding implementation of an automated malware analysis capability, including an assessment of the advisability of transferring the operation of such capability to DHS.

Requires cyber threat indicators and countermeasures shared with the federal government and threat indicators shared with state, tribal, or local agencies to be: (1) deemed voluntarily shared information, and (2) exempt from disclosure and withheld from the public under any laws of such jurisdictions requiring disclosure of information or records.”

The following is a non-exhaustive summary of CISA’s key provisions:

Monitor and Defend Information Systems.

For cybersecurity reasons, a company is allowed to “monitor” and “operate defensive measures” on its own information system or, with written permission, on the system of another party, as long as it meets certain requirements. Sections 104(a)(1)(A)–(C) and (b)(1)(A)–(C) say: (C).
Protection from Being Held Responsible for Watching.

Protection from Being Held Responsible for Watching.

For “monitoring” done in accordance with CISA, “no cause of action shall lie or be maintained in any court against any private entity, and any such action shall be promptly dismissed.” Article 106 (a). Note that there is no similar protection from liability for operating defensive measures that go beyond monitoring.

Share or get information about cyber threat indicators or defensive steps.

A company is allowed to share “cyber threat indicators” and “defensive measures” for “cybersecurity purposes” with the federal government, state and local governments, and other companies and private entities, as long as it meets certain requirements. It is also allowed to receive them from these groups. Part 104(c): (1).

Scrub Personal Information Before Sharing.

A firm wanting to disclose a cyber danger indicator must delete any information “not directly connected to a cybersecurity threat” that the company “knows” at the time of sharing to be “personal information of a specific individual or information that identifies an individual” (A) Section 104(d)(2) (B).

Antitrust Exemption

CISA provides that it is not a federal or state antitrust violation for companies to share cyber threat indicators or defensive measures in order to prevent, investigate, or mitigate threats. Section 104(e)(1), (2); see also Section 108(e).

Non-Waiver of Privilege

Sharing information with the federal government does not surrender rights or other legal safeguards, including the protection of trade secrets. Section 105(d) (1). There is no comparable mechanism for sharing with municipal and state governments or other businesses.

Exemption from Federal and State FOIA Laws

Information shared under CISA is exempt from disclosure under the Freedom of Information Act (5 U.S.C. 552), as well as under any State or local provisions “requiring disclosure of information or records.” Section 105(d)(3).

Information Cannot Be Used to Regulate or Take Enforcement Actions Against Lawful Activities

Information shared under CISA “shall not be used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any non-Federal entity or any activities taken by a non-Federal entity pursuant to mandatory standards, including activities related to monitoring, operating defensive measures, or sharing cyber threat indicators.” The information may be used, however, to develop or implement new cybersecurity regulations. Section 105(d)(5)(D)(i), (ii).

How organizations can use the Cybersecurity Information Sharing Act

Organizations can use the CISA to improve their cybersecurity. The Act empowers enterprises to freely exchange cyber threat information with the government and other groups. This assists enterprises in better understanding the types of cyber dangers they may encounter and how to secure their networks from such attacks.

CISA also compels the government to furnish organizations with information regarding cyber dangers and vulnerabilities. This assists enterprises in better understanding the types of risks they may encounter and how to secure their networks from those threats.

The Act also compels the government to collaborate with enterprises to create cyber security best practices and strategies. This assists firms in developing more effective cyber security policies and plans.

On February 16, 2016, the Departments of Homeland Security and Justice published recommendations to help organizations that exchange information with the federal government under CISA (the “Guidance”, called “AIS”, Automated Indicator Sharing). Additional instructions provided the same day addressed how federal agencies would secure the information they receive and exchange it with one another, state and local governments, and the business sector. AIS uses open standards: the Structured Threat Information Expression (STIX™) for cyber threat indicators and defensive measures information and the Trusted Automated Exchange of Indicator Information (TAXII™) for machine-to-machine communications. AIS is a free service. To participate, you have to contact cyberservices@cisa.dhs.gov for engagement information and taxiiadmins@us-cert.gov for technical assistance during your onboarding. You can find all instructions to AIS here under Automated Indicator Sharing.

Challenges and limitations of the Cybersecurity Information Sharing Act

Unfortunately, CISA isn’t without its flaws and restrictions. To begin with, businesses have no recourse under the law should a data breach occur. Second, the Act does not mandate the disclosure of information on cyber threats to the government or other entities. Third, corporations are not mandated by the Act to adopt any particular cybersecurity best practices or methods.

Finally, the Act does not provide organizations with any financial incentives to share cyber threat information with the government or other organizations. As a result, organizations may be hesitant to share cyber threat information with the government or other organizations.

Consequences and Suggestions

Sharing cybersecurity information with public and commercial partners should be a component of a complete cybersecurity program for the majority of organizations. By sharing, corporations expand the pool of knowledge that the government and other companies can use to fight against assaults, which is to everyone’s benefit. Although CISA is unlikely to radically alter the cybersecurity landscape, it does tilt the balance in favor of more information sharing by providing limited safeguards and increasing clarity around how, why, and when to exchange cyber threat and defensive measure data.

In situations where a company would have been motivated, pre-CISA, to share cybersecurity information with the government or other companies, such as through participation in an ISAC or ISAO, there is a strong case for the company to comply with CISA’s requirements and procedures in order to obtain the law’s protections. Although additional one-time and continuing work and expenditures will be spent to comply with CISA, it appears that the benefits will likely outweigh the costs.

The more challenging question for a business is whether CISA should encourage it to enhance its voluntary information sharing over its baseline levels.

The future of the Cybersecurity Information Sharing Act

The Cybersecurity Information Sharing Act doesn’t have a clear plan for the future. Some organizations have been against the Act because they are worried about the risks that could come from sharing information about cyber threats with the government and other organizations.

The Act could be changed in the future to give organizations more legal protections and financial incentives for sharing information about cyber threats. Also, the Act could be changed to make it so that organizations have to share information about cyber threats with the government and other organizations.

Conclusion

The Cybersecurity Information Sharing Act is a federal law that helps organizations protect their networks and data from cyber threats. The Act encourages organizations to share cyber threat information with the government and other organizations and requires the government to provide organizations with information about cyber threats and vulnerabilities. Additionally, the Act requires the government to work with organizations to develop cyber security best practices and strategies.

Organizations can use the Cybersecurity Information Sharing Act to enhance their cybersecurity. Organizations should take advantage of the Act’s voluntary data sharing provisions, work with the government to develop cyber security best practices and strategies, create and implement a system for sharing cyber threat information with other organizations, take advantage of the Act’s financial incentives for sharing cyber threat information, and ensure that their data is secure and protected from potential cyber attacks.

The Cybersecurity Information Sharing Act may be able to assist businesses in defending their networks and data from online attacks. Organizations should be mindful of the Act’s restrictions and difficulties, nevertheless. When implementing the Cybersecurity Information Sharing Act, organizations should adhere to certain best practices, such as making sure that their data is safe and protected from potential cyberattacks, setting up and implementing a system for exchanging information with other organizations about cyberthreats, and utilizing the Act’s financial incentives for doing so.

The Cybersecurity Information Sharing Act’s future is questionable. The Act may be changed to give corporations additional financial and legal incentives for sharing information about cyberthreats. The Act may also be changed to mandate that businesses alert the government and other groups about cyberthreats.

Sources:

• https://beta.congress.gov/bill/113th-congress/senate-bill/2588 (S.2588 – Cybersecurity Information Sharing Act of 2014)
• Center for Democracy and Technology: Analysis of Cybersecurity Information Sharing Act
• “Controversial Cybersecurity Bill Known As CISA Advances Out Of Senate Committee”
• “Discussion Draft of the ‘Cybersecurity Information Sharing Act of 2014’ (S.2588)”
• “CISA Security Bill Passes Senate with Privacy Flaws Unfixed”
• “H.R. 624 (113th): Cyber Intelligence Sharing and Protection Act — House Vote #117 — Apr 18, 2013”
• https://en.wikipedia.org/wiki/Cybersecurity_Information_Sharing_Act