WASHINGTON — The Department of Homeland Security and the Department of Justice on Tuesday released guidelines for the implementation of the Cybersecurity Information Sharing Act, prompting some industry skepticism as well as renewed privacy concerns.
A provision of the cybersecurity bill signed by President Obama in December 2015 directed the agency to oversee a system that could help foster the sharing of cybersecurity information between private institutions, local governments and federal agencies in a timely fashion.
The guidelines are designed to reinforce and codify ongoing coordination between the financial services industry and government entities.
"This has always been a partnership," said Doug Johnson, vice president of payments and cybersecurity policy at the American Bankers Association. "We think the law has given us greater clarity in terms of how to share that information."
The agency plans to implement CISA through "automated indicator sharing," a system that publishes submitted cybersecurity information in quasi-real time to participants. AIS is run by the National Cybersecurity and Communications Integration Center, which coordinates between government and the private sector and is plugged into the Financial Services-Information Sharing and Analysis Center, the main clearing house for cybersecurity threat-sharing within the industry.
To join AIS, companies must adhere to technical specifications called the Structured Threat Information eXchange and Trusted Automated eXchange of Indicator Information. STIX acts as a coding language for sharing cybersecurity threat information, and TAXII is a set of information-sharing standards. Developed in consort between the DHS and private actors, these two specifications are already in use by FS-ISAC.
The DHS's system is programmed to automatically remove excessive information; only in certain cases will human intervention be required to ensure certain information does not slip through.
The guidelines are "consistent with the manner in which private firms share information now within the financial information sharing and analysis environment," Johnson said. "It's in the mechanism for us to share with the public sector presently."
For banks and other private entities, the central benefit of CISA is to "make sure that the liability protections are in place," said Kevin Petrasic, a partner at White & Case focusing on banking practices.
For privacy advocates, however, that's the problem with the law itself — a lack of concern for the privacy of individuals whose information might get caught in the data submissions.
"When you combine weak privacy protection with a weak [requirement] to remove private information with really robust liability protections, you're really encouraging bad behavior," said Robyn Greene, the policy counsel at New America's Open Technology Institute.
The guidelines allow private entities to share cyberthreat information and defense measures that contain personally identifiable information, as long as that information is "directly related to a cybersecurity threat."
If unrelated private information gets through, the agencies are required to destroy the information "in a timely manner," but an individual whose information has been shared in connection to a cyberthreat can do nothing to remove or rectify the information. The standard for sharing defensive measures undertaken by companies is lower.
Greene noted that before submitting information through the system, private entities and local governments are only required to perform "a review." The guidelines do not detail how in-depth the procedure must be.
"It just says you have to have a review which could include a cursory review," Greene said.
Still, Greene said, "The DHS did as much as they could with the hand they were dealt."
One silver lining, she said, was that victim-identifying data was not listed as information that could be deemed "directly related to a cyber threat" — and is thus out of bounds.
Overall, Greene said, the cybersharing law does not do enough to protect the personal data of consumers. "While it's voluntary for the companies we entrust that information with, it's not voluntary for us," she said.
But that's missing the forest for the trees, industry representatives argue.
"The vast majority of threat information that is shared is not about personal identifiable information, it's about the nature of the malicious software that is being utilized, what parts of a computer system might be being attacked, the locations that the attack is coming from and the measures that a financial institution can take that largely address the attack," Johnson said. "None of that contains [private] information."
It remains to be seen, though, whether the implementation of CISA as envisioned by the homeland security agency will be effective in encouraging the private sector to cooperate with authorities by sharing their cybersecurity threats and defensive measures.
"It's one thing to share with a peer that you can rely on. ... It's a different thing to share it with a federal entity [when] there might be obvious defensive measures that should have been taken based on the information that you shared," Petrasic said. "You're really opening up a whole can of worms at that point."