A Deep Dive on the Final CISA Guidelines

The Departments of Homeland Security and Justice have been busy since February.

Last week, they issued final guidance mandated by the Cybersecurity Information Sharing Act of 2015 (“CISA”)—the law that provided broad liability protections for private companies that share cyber threat information with the government (or among themselves), which is then disseminated to various government agencies, including entities like the National Security Agency.

CDT was critical of the law as enacted, both on process—Congress slipped it into a “must-pass” bill at the 11th hour with limited debate—and substance. CDT’s takedown is here.

The final guidance documents replace a series of interim pieces the two departments issued in February, which we commented and called a “good start” while suggesting a series of targeted improvements.  Since February, there has been some interesting movement on the margins—both good and not-so-good—though not much has changed.  The guidelines remain a mixed bag, which is perhaps understandable given the inherent flaws in CISA.

For instance, the new guidance contains some helpful clarity on when DHS, the primary agency that receives “cyber threat indicators” and “defensive measures” under CISA, [1] along with other agencies that receive this information directly, can delay dissemination to strip out irrelevant personal information.

However, the guidance fails to address many of the foundational issues in the law itself, and we remain concerned that CISA will result in the sharing of sensitive personal information with elements of the intelligence community, military, and federal law enforcement.  That information could then be used for purposes that go far beyond “cybersecurity,” including the investigation and prosecution of crimes under the Espionage Act and the Computer Fraud and Abuse Act, both of which have been subject to abuse and often invite overreach.

The final CISA procedures and guidance can be found on the landing page for the DHS’s “Automated Indicator Sharing” (“AIS”) system, the portal designated by CISA for receipt of cyber threat information.

It’s a little confusing navigating the guidance as there are four separate sets.  Three of them have been updated and finalized, namely guidance on sharing by non-federal entities with the federal government and among themselves, final procedures on the receipt of cybersecurity information by the government, and final guidelines on privacy and civil liberties.  A fourth that covers government-to-government and government-to-private sharing remains unchanged from February. The interim guidance can be found on our site here (non-federal entity sharing), here (privacy and civil liberties), and here (receipt procedures).

We go through each in turn below, highlighting areas where DHS and DOJ deserve credit for shoring up or clarifying privacy and civil liberties protections in the guidance, and where the guidelines continue to fall short.

It is important to note at the outset that none of the guidelines address one baseline issue with CISA—the overly permissive “use” provision that allows cybersecurity information to be shared and then used for non-cybersecurity purposes.  The guidance simply restates the list of authorized uses in § 105(d)(5) of CISA, which, as noted above, include uses beyond cybersecurity purposes (or emergency situations), such as preventing “serious economic harm,” or “preventing, investigating, disrupting, or prosecuting” various criminal offenses such as identity or trade secret theft and the aforementioned Espionage Act and CFAA.

Sharing By Non-Federal Entities [2] With the Federal Government and Among Themselves

The Good

Unlike the privacy and civil liberties guidelines and procedures governing the receipt of cyber threat indicators and defensive measures, DHS and DOJ were not required to issue final guidance in this context, nor were they required to issue guidance on private-to-private sharing.

CDT, along with a number of industry players, nevertheless asked the agencies to provide such guidance, which they did in a new annex to this set of guidelines.  The annex clarifies that liability protections attach to private-to-private sharing if conducted in accordance with CISA.  It also helpfully restates the requirement that sharing be only of cyber threat indicators and defensive measures, and that private entities sharing such information with other private entities strip out personal information that is not “directly related” to a cybersecurity threat.

Additionally, the new guidance may go further in limiting “over-sharing.”  On page 11, the guidance reiterates that sharing may only occur, and companies will only enjoy liability protections, with respect to cyber threat indicators and defensive measures.  It includes the example of sharing an entire hard drive and clarifies that everything stored on the drive is “unlikely” to solely contain information constituting a cyber threat indicator or defensive measure.  This means that a prospective sharer would have to segregate out the information that does constitute a cyber threat indicator or defensive measure and only share that.  The guidelines also state that the same principle would apply to network logs or other similar artifacts.

The guidance reiterates several times that information may only be shared for a “cybersecurity purpose” (most importantly on page 11 of the June guidance and in footnote 12).  Although this is a bit of a mixed bag, as the definition of “cybersecurity purpose” is quite broad and includes, for instance, physical threats to an information system or data, it may still prompt some circumspection by entities that seek to share cyber threat indicators or defensive measures under the law.

Finally, the guidance quietly adds a potentially powerful limitation on the definition of “defensive measure” (compare footnote 8 in the February guidance with footnote 9 in the June guidance).  Many had criticized the definition of “defensive measure” because it only excluded actions that would cause “substantial” harm to another entity’s information system.  Put another way, many expressed concern that CISA affirmatively authorized entities to deploy defensive measures that would harm another entity’s information system, but just not do so “substantially” (whatever that means).

Footnote 9 adds this sentence: “Even if a defensive measure does not cause [substantial harm to another entity’s information system or data], it is still not within CISA’s definition if it enables unauthorized access to another entity’s information system” (emphasis added).  Although limited by the fundamental problem that this guidance is merely that—guidance—this may lend helpful pause to entities developing defensive measures under CISA.

The Not-So-Good

Put simply, the guidance continues to raise privacy and civil liberties concerns because CISA itself fails to include essential privacy and civil liberties protections.

While the guidance continues to include some helpful language, required by CISA, to assist companies in identifying information that would be covered by otherwise applicable privacy laws and is unlikely to be “directly related” to a cybersecurity threat, and therefore not shareable, it does not include the Electronic Communications Privacy Act or the Wiretap Act in that list of laws.  As we noted back in February, those would be two of the “otherwise applicable” laws most relevant as they prohibit the disclosure of electronic communications content by private entities in many contexts.

The guidance is also troubling in what it does not say.  Under CISA, entities may freely share cyber threat indicators and defensive measures that contain personal information about their customers (and potentially a lot of personal information) so long as they do not “know” at the time of sharing that the personal information is not “directly related” to a cybersecurity threat.  In practice, that gives companies a fair amount of leeway and could encourage willful blindness.

Coupled with the fact this information can then be used by the military, intelligence agencies, and federal law enforcement for non-cybersecurity purposes, the “knowing” standard may effectively lead to the sharing of irrelevant personal information about CISA participants’ consumers with the nation’s national security and spying apparatus where it can be used for, well, national security and spying.  The guidance fails to alert prospective sharers to this danger, and it arguably should.

The Privacy and Civil Liberties Guidelines

The Good

Back in February, CDT noted a couple of positive features of the privacy and civil liberties guidance.  These included the fact the guidance is based on the Fair Information Practice Principles (“FIPPs”), provides dissemination and retention directions, and that the DOJ and DHS strongly encouraged entities to apply the guidance to defensive measures, even though they are not bound by CISA to do so.  All of these points still stand in the final guidance.

The Not-So-Good

One of CDT’s primary complaints has not been addressed in the final guidance.  There is nothing in the guidance that further limits the use authorizations in CISA.  Under § 105(d)(5), cyber threat indicators and defensive measures, including those that contain sensitive personal information, may be used for an array of purposes that are not related to cybersecurity.  These include, controversially, the prevention of “serious economic harm” (which is undefined and potentially expansive), and “preventing, investigating, disrupting, or prosecuting” a wide variety of crimes. [3]  There is nothing in the guidance that narrows or otherwise limits these overbroad use authorizations.

There is also one curious addition to the guidance.  On page 12 of the final guidance, the agencies added a new paragraph into the section on retention, which back in February only said that agencies may retain information for all the uses authorized in CISA and destroy cyber threat indicators when it becomes known that it contains personal information that is not directly related to an authorized use. [4]

The new paragraph says that “retention schedules . . . should be consistent with the operational needs of each federal entity and in accordance with the Federal Records Act” and should be “appropriate to their mission.”  It’s an odd change, especially given that so much of the document repeats verbatim the interim guidance.

Though not express, it is worth asking whether this means that cyber threat indicators and defensive measures that are being used for law enforcement or national security purposes outside cybersecurity could be retained for a long period of time, or indefinitely.  Were an agency to make a “collect it all”-style argument, which many believe led to the NSA’s bulk telephone metadata collection program, could it just dump these indicators and defensive measures into a database and mine it in the future for purposes far beyond cybersecurity?

Finally, as Access Now explained, the notice sections, which are described on page 5 in the privacy and civil liberties guidance, are inadequate.  First, if one’s personal information is shared as part of a cyber threat indicator and is directly related to a threat, one would receive no notice at all.  That would be “counter to the utility” of the cyber threat indicator.

But is that actually true?  If I receive a spearphishing email that appears to be from a close acquaintance, and it is shared with the government, how difficult would it be to notify me that it has been shared and why would that impair the government’s efforts to identify the attacker?  The government has provided notice to injured parties in similar contexts—most notably the hack at the Office of Management and Budget.  It is unclear why it could not do so here.

Additionally, the limited notice provisions that do exist in CISA have an undue focus on US persons.  There are procedures for notifying individuals whose personal information has been shared in violation of CISA, but only US citizens or permanent residents.  As Access notes, this is in spite of the fact that much of the information that will be shared will presumably be global data.

Procedures for the Receipt of Cyber Threat Indicators and Defensive Measures

The Good

Page 8 of the final guidance retains the “DHS scrub” provisions, which permit DHS to delay dissemination of cyber threat indicators and defensive measures to prevent the inappropriate sharing of personal information.  It would do so in two ways.

First, when DHS receives a cyber threat indicator or defensive measure through its automated portal, it will run an automated process to identify personal information that is not directly related to the threat, which can then refer certain fields for further human review.

Second, and importantly, for a small number of fields where the risk of personal information being inappropriately shared cannot be mitigated through automatic means, DHS will perform a straight human review.  If DHS finds that the field being reviewed contains personal information that is not directly related to a cybersecurity threat, it will scrub the field and share only a sanitized version.

Additionally, the final guidance has a key amendment that may prove particularly positive.  Under the interim guidance, a separate section (3.1.2) stated that other government entities receiving a cyber threat indicator or defensive measure from a non-government entity outside of the real-time process could subject it only to “minimal” delay due to controls intended to scrub personal information.

The final guidance eliminates that section and states simply (on page 9) that “[m]odifications, delays or other actions undertaken to remove personal information of specific individuals or information that identifies specific individuals that is not directly related to the cybersecurity threat are permissible.”  Again, this is a key second privacy scrub.  Although “permissible” should be “mandatory,” this does seem like a positive change.

The Not-So-Good

There is not too much to complain about here with regards to the guidance itself.  Any flaws with the receipt procedures are endemic to CISA, including, for instance, the requirement to scrub personal information only when a government or non-government entity knows to a certainty at the time of sharing that it is not directly related to a cybersecurity threat.  It would have been beneficial to have more express guidance on when and how other government entities, especially in the national security realm, must scrub such information, but the language we note above is about as strong as it can be given the weaknesses of CISA.

Government-to-Government and Government-to-Private Sharing

Finally, there is separate guidance on when and how the federal government can share cyber threat indicators and defensive measures with state, local, tribal, and territorial government entities and the private sector.  As noted, CISA did not require the issuance of interim and final guidance here, so the February version is the operative one.

* * *

In sum, while DHS and DOJ deserve credit for issuing thoughtful and clear guidance to private sector and government entities, CISA itself remains a problem for civil liberties and privacy.  Additionally, the guidance was issued simultaneously with and discussed at a CISA oversight hearing in the House Homeland Security Committee’s cybersecurity subcommittee.  Disappointingly, no privacy or civil liberties experts were invited to testify, and there was little discussion of the ongoing and serious concerns many have with the law.

Undoubtedly, CISA and its implementation will continue to be controversial and CDT will be following this issue closely.  For now, our verdict on the final CISA guidance:  it’s a mixed bag and the law itself is still flawed.

 

 

[1]                 “Cyber threat indicator” and “defensive measure” are important defined terms in CISA.  Crucially, entities may only share cyber threat indicators and defensive measures, and may only do so for a “cybersecurity purpose.”  These limitations do not mitigate the privacy and civil liberties concerns with the law, but they are important breakwaters that at least reduce the possibility of personal information being inappropriately shared with the government.  The definition of cyber threat indicator can be found at § 102(6) (page 1731), and includes information “necessary to describe or identify” things like “malicious reconnaissance,” security vulnerabilities, “malicious command and control,” and, troublingly, the catch-all language “any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law.”  The definition of defensive measure is at § 102(7) (page 1733), and is likewise broad.  A defensive measure is any “action, device, procedure, signature, technique, or other measure applied” to an information system or data that “detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.”  The latter two terms are also defined in § 102.

[2]                 Non-federal entities are private entities along with state, local, tribal, and territorial government entities, including law enforcement agencies.

[3]                 It’s worth noting that the terms “preventing” and “disrupting” are problematic.  It would be one thing if the information shared clearly indicates imminent, active, or past criminal activity.  But prevention and disruption suggest that law enforcement could retain information that does not, on its face, indicate criminal activity, but may hypothetically do so in the future.  Again, this goes to the concern of some that CISA could morph into a new authority to collect personal information for surveillance purposes.

[4]                 This is actually an interesting, and potentially troubling, formulation.  Sharers must strip out personal information that they know at the time of sharing is not directly related to a cybersecurity threat.  This is different.  If the personal information is improperly shared (or the entity does not know at the time of the sharing that it is not related), even if it is subsequently found to be not directly related to a cybersecurity threat, but is directly related to, for instance, an Espionage Act or CFAA investigation (both authorized uses), it may be retained and used even though it has nothing to do with a cybersecurity threat.  That’s a mouthful, but the bottom line is that entities may retain information that they actually determine has nothing to do with a cybersecurity threat, but does have some relevance for, for instance, an Espionage Act investigation.