Background
In February 2015, Anthem became the first major healthcare provider to experience a cyber attack when attackers stole 80 million records from Amerigroup and Blue Cross Blue Shield health plan users. In June 2015, hackers stole the personal information of over 20 million people from the Office of Personnel Management (OPM), which was the largest cyberattack on the U.S. government at the time. A month later, the hacking group Impact Team stole the user database of the adultery website Ashley Madison to blackmail its parent company Avid Life Media. The hacking group released the private information of its 37 million users as well as the website’s database of corporate emails. The sheer number of cyber incidents in 2015 brought cybersecurity to the forefront of domestic policy, leading to the Cybersecurity Information Sharing Act of 2015. This law changed the way the private and public sectors tackle cyber threats by prioritizing the sharing of cybersecurity information, and affected the federal government, private software companies, and the consumers who use their products.
Summary
Congress signed the Cybersecurity Information Sharing Act into law as Title 1 of the Cybersecurity Act of 2015. The act establishes the Cybersecurity and Infrastructure Security Agency (CISA) as the central hub for the sharing of “defensive measures” and “cyber threat indicators” between the private and public sectors for a “cybersecurity purpose.” The act also defines key terms:
- Cyber threat indicators: necessary information to identify “listed threats…[and] information on the ‘actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat”
- Defensive measures: something that “detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.”
- Cybersecurity purpose: the purpose of protecting an information system or information from a cybersecurity threat/security vulnerability
In the past, companies seldom shared valuable cybersecurity information due to concerns about violating numerous regulations. This law altered that situation. It provides a series of protections to encourage companies to voluntarily share information, including federal antitrust exemptions, immunity from federal/state disclosure laws (like open government and freedom of information laws), and a non-waiver of applicable protections for sharing materials. Additionally, under the law, the shared material is treated as commercial, proprietary, and financial information. Moreover, this act grants an ex parte communications waiver, which means that CISA sharing of cyber threat indicators and defensive measures with the federal government is not legally considered communication with a decision-making official, and therefore not bound to the same rules.
CISA, housed within the Department of Homeland Security (DHS), centralizes the sharing of this information. The main method is the Automated Indicator Sharing (AIS) Initiative. The DHS also specifies information that AIS participants cannot share, in addition to non-cybersecurity threat details, such as:
- Protected health information (medical records, lab reports, etc.)
- Education history
- Human resource information (hiring decisions, performance, etc.)
- Financial information (credit reports, bank statements, etc.)
Arguments in Favor of and in Opposition to the Strategy
Supporters claim that the policy is beneficial because it reduces liability for companies. Companies could freely share cyber threat indicators, such as malware samples, without worrying about being held liable for criminal charges like antitrust and disclosure law violations. This increases access to cyber threat information and defensive measures.
Moreover, proponents of the bill argue that the act would provide greater cybersecurity. The increased information sharing would help companies to improve their cybersecurity, which leads to more secure products and greater consumer trust. Also, it reduces the cost of improving cybersecurity. It means that companies can still maximize their profit while not having to sacrifice the security of their products.
However, there are also several reservations about the law. Opponents of the bill claim that cyber threat indicators are relatively ineffective and that there is not much evidence that sharing cyber threat indicators would enhance Internet security. In fact, in the years that CISA has been active, some of the indicators were unusable or inaccurate. This is partially due to a lack of expertise and staff at CISA, and the struggle the organization has faced in effectively providing guidance and training to AIS participants. Additionally, others believe that the act is insufficient. As opposed to simply focusing on information sharing, they believe that the U.S. needs a stronger and more expansive cyber strategy to combat the numerous cyber threats it faces.
Furthermore, many worry that the government’s data collection will expand beyond cyber threat indicators and defensive measures. They point to what they see as dangerously broad language which would allow the government to take much more information than needed to deter cyber threats. Others see it as a way for the government to circumvent search warrants and directly obtain personal information themselves. However, proponents believe that the privacy concerns that opponents of the bill make carry little weight because companies must remove personal identifying data from the shared information, therefore supporters believe there is no feasible opportunity for the collection of unnecessary information.
Conclusion
The Cybersecurity Information Sharing Act has been in law for almost a decade and thus far has seen both successes and drawbacks. For example, by 2018, CISA included more than 5.4 million unclassified indicators with governmental and non-governmental entities as well as more than 219 non-federal participants. On the other hand, as stated above, companies have discovered that some of the cyber threat indicators were unusable. AIS participants sometimes found that the shared indicators lacked background information that was vital to using the indicators to deter potential cyber threats. In other cases, the indicators were simply inaccurate. Despite the specific effects, there is no doubt that this act has and will continue to shape the way the public and private sectors respond to cyber threats.