CISA’s Interim Guidelines: A Good Start, but with Lingering Privacy Concerns
Written by Jadzia Butler
Two months ago, President Obama signed the Cybersecurity Information Sharing Act (Title I of the Cybersecurity Act) into law as part of a $1.15 trillion omnibus spending bill. Privacy and civil liberties advocates, including CDT, voiced sharp criticism due to the secret, backroom nature of the CISA negotiations, which resulted in several important privacy protections being pushed aside. Last week, the Department of Homeland Security and the Department of Justice published guidelines that describe how cyber threat indicators (CTI’s) and defensive measures are supposed to be shared, received, used, and disseminated, as well as the privacy protections that should be applied throughout the process. Specifically, the agencies released 1) Guidance to help non-federal entities share CTI’s and defensive measures with federal entities; 2) Privacy and Civil Liberties Interim Guidelines; 3) Guidelines for the sharing of CTI’s and defensive measures by the federal government; and 4) Interim procedures for the federal government’s receipt of CTI’s and defensive measures.
The guidelines are a positive step in the right direction. They are well-written, organized, and contain helpful examples of how to efficiently and effectively share cyber information while taking the necessary steps to safeguard privacy. However, there are a number of important privacy concerns that the guidelines leave unaddressed, largely because the legislation itself failed to address them. Moreover, the voluntary nature of “guidelines” means their efficacy will ultimately hinge on whether or not entities choose to abide by them.
Guidance for Non-Federal Entities Sharing with Federal Entities: The guidelines that describe how non-federal entities (such as ISP’s and banks) should share CTI’s and defensive measures with the federal government are arguably the most important from a privacy standpoint, because they govern situations where entities entrusted with consumer information may share that information “notwithstanding any law” (including privacy laws) and with strong liability protections. The guidelines begin with a very important caution: only information that is directly related to and necessary to identify or describe attributes of cybersecurity threats, such as malicious reconnaissance, methods of defeating security controls, and phishing attacks, can be shared as a CTI under CISA. Therefore, companies that share personal information that is not necessary to identify or describe such attributes may face liability for doing so. This is an incredibly important privacy protection, and the guidelines provide a series of helpful examples of what information is appropriate to share as a CTI or defensive measure, and what types of personal information should probably be removed before sharing.
Although this restriction is important, it does not solve all of the program’s potential privacy problems. The guidelines provide examples of otherwise applicable privacy laws in order to help companies identify sensitive information that should probably not be shared. However, this list actually demonstrates how limited US privacy protections really are. Unlike the European Union, which provides a set of baseline privacy protections to all residents’ information (no matter the industry that the data belongs to), the United States has a scattered patchwork of privacy laws with standards that vary sector by sector. Even more troubling, the list does not include the Electronic Communications Privacy Act (ECPA) or the Wiretap Act – the two laws most likely to be “otherwise applicable” to information sharing authorized by the legislation because they prohibit (with exceptions) the intentional disclosure of electronic communications.
In addition, although CISA only requires the release of non-federal entity guidelines for circumstances where a non-federal entity shares information with a federal entity, CISA permits non-federal entities to share information with any other entity-including other non-federal entities. There should be additional guidelines for when it is appropriate for companies to share information with one another, and the privacy protections that should be in place when they do.
Privacy and Civil Liberties Interim Guidelines: The privacy and civil liberties guidelines governing federal entities’ receipt, retention, use, and dissemination of CTI’s provide a good foundation for ensuring that privacy considerations are taken into account throughout the information sharing process. The guidelines are based on the Fair Information Practices Principles (FIPPs), a widely accepted framework for safeguarding privacy. For example, the guidelines promote transparency by encouraging federal entities to periodically publish Privacy Impact Assessments. They encourage data minimization by requiring the timely destruction of CTI’s that contain personal information not directly related to cybersecurity. In addition, although the privacy guidelines generally only apply to shared CTI’s, federal entities are strongly encouraged to apply the guidelines to shared defensive measures, as well, which, as the guidelines rightly point out, may contain CTIs. This clarification should help ensure that the privacy guidelines accomplish their protective goals.
Disappointingly, these privacy guidelines do not provide any new limitations that would narrow the scope of circumstances in which information can be shared with law enforcement for purposes unrelated to cybersecurity. Instead, they merely repeat the overly broad language from the statute, which lays out a number of law enforcement uses of shared CTIs that have nothing to do with cybersecurity. For example, even under these guidelines, information shared with the federal government for cybersecurity reasons could be stockpiled and mined for use in unrelated investigations of espionage, trade secret violations, and identity theft. Without additional limitations, the information sharing program could end up being used as a tool by law enforcement to obtain vast swaths of sensitive information that could otherwise be obtained only with a warrant or other court order. In other words, privacy advocates’ warnings that CISA is really a surveillance bill dressed in cybersecurity clothing may still come to fruition.
Guidelines for Receipt and Sharing of CTI’s/Defensive Measures by Federal Entities: The guidelines for the receipt and sharing of cyber information by federal entities contain two important privacy enhancements. First, and most importantly, the guidelines put in place a commonsense procedure for DHS to delay the automatic sharing of information with other federal entities in order to take the time needed to remove personal information. This resolves a conflict inherently in the law between the need for speed and the need to implement privacy protections that take a moment. CDT was initially concerned that DHS would have no time to remove sensitive information before sharing it in a CTI because the statute only permits delays that are the result of “controls” approved by the heads of all appropriate federal entities, which could have been a burdensome process that might never occur. However, the controls established by the guidelines appear to address this concern. Once DHS receives a CTI or defensive measure submission, any data fields that appear to contain an error will be referred by automated processes for human review. If irrelevant personal information is found, that information will be removed before any other federal entity sees it. If possible, DHS will still transmit the fields that do not require human review to the appropriate federal entities without any delay.
In addition, the guidelines promote efficiency in a way that will help minimize the sharing of extraneous personal information. The guidelines do not require the government to reinvent the wheel in order to kick off the information sharing program – in fact, it leaves many of the mechanisms that already exist for cyber information sharing in place. Companies will receive liability protection if they share information through the DHS real-time capability, the Automated Indicator Sharing (AIS) initiative. The AIS initiative uses the technical specifications and procedures established by DHS’s preexisting Structured Threat Information eXchange (STIX) and Trusted Automated eXchange of Indicator Information (TAXII). The guidelines also contain a non-exhaustive list of examples of current procedures that support the timely sharing of classified, declassified, or unclassified CTI’s and defensive measures with relevant entities (such as the Department of Defense’s Defense Industrial Base (DIB) Cybersecurity Program and the DHS’s National Cybersecurity and Communications Integration Center (NCCIC)). In addition, the guidelines help limit the amount of extraneous information that the government receives by encouraging entities to submit information by filling out the AIS Profile, which only contains select input fields. This not only helps to protect privacy by discouraging the inclusion of unnecessary personal information, but also enhances the efficiency of the cybersecurity program by ensuring that only information critical to identifying or describing a cyber threat is brought to the attention of the appropriate entities.
In many respects, the guidelines ameliorate CDT’s concerns about CISA’s information sharing program. Whether or not these guidelines are actually followed, however, remains to be seen.