TLP: GREEN

AUGUST 21, 2017

Overcoming Legal Barriers – R-CISC Webinar Insights from Lisa Sotto, Partner, Hunton & Williams

Powered by the Retail ISAC, A Division of the R-CISC

BEFORE CISA IMPLEMENTATION

• Large cloud of legal uncertainty within both public and private industries • Companies historically were forced to grapple with legal risks when considering whether to share

cyber threat intelligence • Faced various concerns over sharing cyber threat information including:

o limited assurances that shared intel would not be disclosed to regulators o sharing would be used as evidence in regulatory actions o shared information could potentially make its way into the hands of regulators from law

enforcement or other private sector entities SINCE THEN, THE CYBERSECURITY INFORMATION SHARING ACT (CISA) HAS BEEN ENACTED

TLP: GREEN

Recipients may share TLP: GREEN information with peers and partnerorganizations within their sector or community, but not via publiclyaccessible channels.

BACKGROUND

KEY BENEFITS

• Alleviates many legal risks • Grants businesses legal protections applied to their

sharing of threat information • Results in far less legal risk with sharing/receiving/using

intel in the US • Takes a carrot rather than a stick approach to promoting

good cyber practices • Provides businesses with legal protections for:

o sharing threat intelligence o monitoring systems for cyber issues (e.g.,

employee monitoring) o defending systems against cyber threat

TLP: GREEN

INFORMATION SHARING UNDER CISA

• Offers legal protections for engaging in certain types of sharing activities • Allows for sharing between and among private sector and state local, and federal government

agencies • CISA permits businesses to exchange cyber threat indicators and defensive measures for

cybersecurity purposes subject to a few restrictions o applies to sharing and receiving information from private sector o CISA defines private entity to contemplate ISACs, ISAOs, and cybersecurity services

providers • CISA protections apply to both information sharing (by phone) and more formal arrangements

(through an ISAC) • CISA does not seek to restrict sharing relationships • CISA does not mandate sharing of information • CISA does not create a duty to:

o share cybersecurity information o act based on the receipt of information

• CISA increases sharing between the public and private sector and supports the 2013 Cybersecurity Executive Order

o FBI/Secret Service reach out to private sector on issues

KEY LEGAL PROTECTIONS WITH CISA

Safe harbors for businesses from lawsuits, regulatory actions (violation of antitrust or other govt. investigations with respect to info sharing)

Liability protection: shields businesses from lawsuits on sharing information for cybersecurity purposes (protected when sharing between private sectors)

Explicitly provides companies with protections against antitrust protections in connection with authorized information with other threat activity

Shields businesses from certain regulatory actions

Protection from

public disclosure

under FOIA

(Freedom of

Information

ACT) (held at

bay for these

purposes)

OTHER PROTECTIONS OF NOTE

KEY CONSIDERATIONS AND LIMITATIONS

• To receive legal protections available under CISA, you need to adhere to requirements and restrictions for sharing

• CISAs protections apply to sharing information for a limited purpose, yet provide a good deal of a latitude:

o protect a system or process from a threat or vulnerability

• Doesn’t cover sharing for any other reasons • If there is another purpose for sharing information, CISA

won't protect you • Authorizes the sharing of certain types of information:

threat indicators and defensive measures o Example: If you are sharing an entire hard drive

that’s been compromised, not all data has been compromised so, don't over share!

o sharing personal information, especially about victims, may not be necessary to describe a threat indicator so it likely won’t be protected

• Only share information related to a cyber threat to protect, detect or mitigate

• CISA requires you to remove personal information from an indicator that is not directly related to a cyber threat

• CISA requires business that are sharing or receiving indicators to use security controls to protect against unauthorized access

Cyber Threat Intelligence: info necessary to identify cybersecurity threats and vulnerabilities Cyber Defense Measure: includes an action, device, procedure, signature or other technique or other measure applied to an information system that detects, prevents or mitigates a cyber threat or vulnerability (including malware signatures)

CISA DEFINITIONS