On December 18, 2015, President Obama signed the Cybersecurity Act of 2015 (The “Act”), legislation designed to combat online threats to the federal government, state and local governments, and private entities. Within the Act are four titles, the most significant of which is Title I, the Cybersecurity Information Sharing Act (“CISA”) (which begins at p. 694).
CISA addresses the manner in which the federal government and non-federal entities may share information about cyber threats and the defensive measures they may take to combat those threats.
CISA: An Optional Opportunity
- CISA does not require non-federal entities (private entities and state, local, and tribal governments, § 102(14)) to provide information to another entity (whether government or private). Nor does it permit federal entities to condition the provision of cyber threat indicators or the awarding of a grant, contract or purchase to a non-federal entity on that entity’s provision of cyber threat indicators to another entity. § 108(h).
- CISA does not subject entities to liability for failing to participate in information sharing under its ambit. § 108(i).
Information Sharing Under CISA
CISA authorizes non-federal entities to share cyber threat indicators and defensive measures with other non-federal entities and with the federal government for cybersecurity purposes. § 104(c)(1).
However, CISA does not authorize the sharing of “personal information” (a term CISA does not define); as such, non-federal entities must take one of two steps before sharing cyber threat indicators:
- review cyber threat indicators to determine whether they contain information “not directly related to a cybersecurity threat” that the sharing entity “knows at the time of sharing” includes an individual’s personal information or information identifying an individual.
- as an alternative, non-federal entities may opt to put in place the technological capability to identify and remove such information from the information to be shared. § 104(d)(2)
Information Use and Retention
- Non-federal entities
- A non-federal entity that receives shared cyber threat indicators or defensive measures may use that information to engage in monitoring and defense of information systems consistent with the rules discussed below under “Monitoring and Defensive Measures,” and may also use, retain, or further share such information subject to otherwise applicable laws or lawful restrictions placed by the sharing entity. § 104(d)(3).
- Federal entities
- Under § 103, the heads of certain federal departments and agencies must create procedures to “facilitate and promote” sharing cyber threat indicators and defensive measures (of various levels of secrecy) in federal government possession with other federal and non-federal entities.
- Cyber threat indicators and defensive measures provided to the federal government under CISA may only be “disclosed to, retained by, or used by” federal entities or personnel for certain specified purposes and in a manner protective of privacy and civil liberties. § 105(d)(5)(A)-(C).
Incentives to Share
CISA provides non-federal entities with a number of incentives to share cyber threat indicators and defensive measures:
- Protection from liability Section 106(b) protects non-federal entities from liability in claims arising from their sharing or receipt of information pursuant to CISA. To receive this liability protection, sharing or receiving entities must act in accordance with CISA. If they are sharing with the federal government, they must use the sharing process that the Department of Homeland Security is tasked with creating under § 105(c)(1) (unless they fall under one of the exceptions contained within that provision).
- Exemption from FOIA and other disclosure laws
- Threat indicators and defensive measures shared under CISA are exempt from disclosure under federal, state, local and tribal freedom of information laws, §§ 104(d)(4)(B); 105(d)(3).
- Exemption from regulatory use
- Threat indicators and defensive measures shared under CISA generally may not be used for regulatory purposes by governmental authorities. §§ 104(d)(4)(C); 105(d)(5)(D).
- No waiver of privileges and protections for information Sharing cyber threat indicators or defensive measures with the federal government under CISA does not waive any privilege or legal protection otherwise applicable, and information shared with the federal government is considered the sharing entity’s proprietary information if so designated. § 105(d)(1), (2).
- Antitrust exemption It is not considered a federal antitrust violation for “two or more private entities to exchange or provide a cyber threat indicator or defensive measure, or assistance relating to the prevention, investigation or mitigation of a cybersecurity threat, for cybersecurity purposes.” § 104(e). This provision is not, however, to be construed to permit actual anti-competitive behavior. § 108(e).
Monitoring and Defensive Measures
CISA also puts into place rules that govern private entities’ monitoring of and defense against cybersecurity threats:
- Section 104(a) permits private entities, for cybersecurity purposes, to monitor their own information systems, the information systems of other non-federal and federal entities whose authorization and written consent they receive, and information that is stored on, processed by, or passing through such information systems.
- Section 106(a) protects from liability those monitoring activities permitted by § 104(a).
- Section 104(b) permits private entities to use defensive measures to protect their own information systems, as well as the information systems of other non-federal and federal entities that consent in writing to the use of that defensive measure.
- CISA’s definition of defensive measures excludes measures “that destroy, render unusable, provide unauthorized access to, or substantially harm” information systems of non-consenting entities, or the information on them. § 102(7)(B).
Other Provisions of Note
- CISA provides that the sharing of a cyber-threat indicator or defensive measure with a non-federal entity does not create a right to obtain similar information on behalf of the receiving, or any other, non-federal entity. § 104(f).
- CISA does not create a duty to share cyber threat indicators or defensive measures, or to warn or act as a result of receiving such information. § 106(c)(1).
- CISA does not, however, say anything about the availability of common law causes of action like negligence based on such situations.
- Section 108(k) of CISA preempts state or local laws that “restrict or otherwise expressly regulate an activity authorized under this title.”
- CISA is scheduled to sunset after 10 years. § 111.