Last week, the Department of Homeland Security (“DHS”) released its Final Rules for private-sector information-sharing under the Cybersecurity Information Sharing Act of 2015 (“CISA”). CISA permits private companies to share cyber threat information with the U.S. government and shields those companies from liability for doing so. The new CISA Rules outline exactly how this information-sharing will work, namely: how information is submitted; what information gets submitted; and what happens to the information after submission.
HOW IS INFORMATION SUBMITTED?
The preferred method for submitting cyber-threat data to DHS is through “TAXII”, short for “Trusted Automated Exchange of Indicator Information.” TAXII is a technical protocol developed by DHS to securely and efficiently share cybersecurity information. Entities will have a “direct line” to DHS for automated submission of data. Instructions for setting up a connection to the DHS TAXII server can be found at https://www.us-cert.gov/essa. The new CISA Rules also allow for manual submission of cyber-threat information via web interface and emails, but note that such avenues are disfavored because they are less direct, less speedy, and more prone to error.
WHAT INFORMATION GETS SUBMITTED?
The information submitted through the TAXII connection is a subset of “Structured Threat Information Expression” (“STIX”). STIX is essentially a standard form that asks for certain pieces of data useful to describing and assessing a cybersecurity threat: digital “observables”, past incidents, what vulnerabilities are targeted, etc. The CISA Rules require entities sharing information with DHS to use the Automated Indicator Sharing (“AIS”) profile, a subset of the STIX data that has been selected to maximize utility while minimizing the chances of personal information being disclosed.
WHAT HAPPENS TO THE INFORMATION?
Once a submission reaches DHS, it undergoes automated processing that confirms that the submission follows the AIS format, cleans up any extraneous data, and, if the submitting entity wishes, removes any identifying information. The automated processing will also queue submissions for human review if it detects personal information. Once a submission is sanitized, the cyberthreat information is then shared among federal entities.