The US Chamber’s public letter on cybersecurity last month urged businesses to take full advantage of the Cybersecurity Information Sharing Act signed into law by President Obama in December 2015. It caused renewed interest in the law, and this post outlines how small and midsized businesses can be sheltered by it when they partner with others to deal with the most common cybersecurity threat, spear phising.
Used in even the most sophisticated cyber-attacks, spear phising is nothing more than getting employees to transfer money or information by emails pretending to be from another person authorized to make the requests.
Spear phishing works when bad actors steal enough information to know who to impersonate and who to give orders to.
The information is stolen in many ways. Tracking how thieves attacked your company is vital to secure your systems and prevent future attacks. Re-creating the crime often means sharing information with financial institutions, suppliers, customers, employees, law enforcement, and others.
The thieves won’t sue you for exposing their activity, but if personal information about people is exchanged in the tracking process, lawsuits and other legal damage can and does result.
The CISA protects companies sharing information about specific individuals in connection with “cyber threat indicators” and “defensive measures” for a cybersecurity purpose. If you follow its rules, among other things your company can’t be sued for sharing the information.
To make it easier to follow the rules, the Homeland Security and Justice Departments released a CISA owner’s manual, “Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities Under the Cybersecurity Information Sharing Act of 2015.”
Personal information is involved in the description of a spear phishing attack by definition. The Guidance recognizes this includes information about the bad actor, the subject line, the email message content, message ID, and X-Mailer. But the identity of the individual being impersonated and his or her email address are information you must scrub because it is “not directly related to” the threat.
Also needing to be removed are such things as protected health information, HR information, consumer purchasing history or preferences, and financial information.
Liability protection for sharing with the federal government requires you to go through the process set up by the Department of Homeland Security at the National Cybersecurity and Communications Integration Center. It is a 24/7 management center where incidents can be reported through the US-CERT Incident Reporting System. https://www.us-cert.gov/forms/report
Good features of the CISA assure you that sharing threats and defensive measures does not waive privileges like the lawyer/client privilege or protections for trade secrets. Sharing can’t violate the antitrust laws or make proprietary information public. And shared information can’t be used by federal, state or local regulators.
Additional requirements include restrictions imposed by other parties sharing information with you, and having a “security control” to guard threat indicators and defensive measures from unauthorized access.
Yes, there’s a cost for CISA’s protections. But it has many benefits and compliance has benefits beyond the ones built into the law, such as providing an excellent roadmap when managing a spear phising attack. Deciding whether to share threat information or defensive measures under the CISA should ideally be part of your overall cybersecurity strategy.
Smaller and mid-sized companies may not feel they can afford the luxury of developing a cybersecurity strategy at leisure, so their strategy may have to be the result of dealing with threats as they occur.
Being aware of CISA’s protections and requirements can still be valuable if you must make decisions while under attack.