The Department of Homeland Security is moving forward with the biggest piece of cybersecurity legislation passed last year, issuing preliminary guidance on how the private sector and government will communicate threat data as part of the Cybersecurity Information Sharing Act.
In cybersecurity — possibly more so than most other endeavors — knowledge really is power. Knowing the signature of an attack vector, the telltale signs of certain types of malware or, as DHS Secretary Jeh Johnson suggested, "the subject line of a spear-phishing email or the IP address of the computer from which it originated" can help defenders block malicious traffic and stop hackers in their tracks.
Of course, that only works on a large scale if that information is shared in a timely manner.
"These guidelines provide federal agencies and the private sector with a clear understanding of how to share cyber threat indicators with DHS's National Cybersecurity and Communications Integration Center and how the NCCIC will share and use that information," Johnson said in a news release.
Johnson pointed to DHS’s Automated Indicator Sharing system, which is how the government and private sector currently share threat data in real time. The guidance, released Feb. 16, for persons and companies sharing with the government updates the procedures for info-sharing, which include new liability protections and require the scrubbing of personally identifiable information.
"The law importantly provides two layers of privacy protections," he said. "Companies are required to remove personal information before sharing cyber threat indicators and DHS is required to and has implemented its own process to conduct a privacy review of received information."
The new guidelines offer companies a road map for how to share information with the government while staying within the bounds of the law, as well as how the feds will reciprocate.
The guidance includes four draft documents:
- Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government
- Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities
- Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government
- Privacy and Civil Liberties Interim Guidelines
Privacy advocates targeted CISA in all its forms as it moved through the legislature last year, and some said they plan to continue fighting its implementation. Johnson said he hopes DHS can assuage their fears and wants their input as the sharing network develops.
"We welcome feedback from privacy advocates and private sector participants in the AIS system as we continue to develop the final documents ahead of their statutory deadline in June," he said.
DHS also awarded a grant to the University of Texas at San Antonio to develop the standards and procedures for ISAOs, though that work will not be completed for another two to five years.