Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

Transcription

1 In a flurry of activity, the U.S. House of Representatives last week passed two cybersecurity information sharing bills. Both the House Intelligence Committee and the House Homeland Security Committee had approved separate versions of the legislation in the last month (H.R and H.R. 1731, respectively). While the bills were passed discretely, they will likely be combined before being sent to the U.S. Senate for its consideration. This activity follows numerous attempts in previous Congresses to pass similar legislation and U.S. President Barack Obama s call for cyber information sharing legislation in his State of the Union Address in January. H I G H L I G H T S Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) R Preventing, Detecting, Analyzing, Mitigating Cybersecurity Threats R Sharing of Information with Federal Government R Sharing of Information by Federal Government R Liability Protections National Cybersecurity Protection Advancement (NCPA) Act R Information Sharing with Federal Government R Liability Protections Executive Order Authorizes Economic Sanctions in Response to Cyber Crime On April 22, 2015, the House passed the Protecting Cyber Networks Act (PCNA) (H.R. 1560) by a vote of 307 to 116. Sponsored by the House Intelligence Committee, the legislation aims to defend against cyber-attacks through the creation of a framework for the voluntary sharing of cyberthreat information between private entities and the federal government, and it includes liability protection for those companies that choose to participate. The following day, the House passed the National Cybersecurity Protection Advancement (NCPA) Act of 2015 (H.R. 1731) by a vote of 355 to 63. Similar to the PCNA, the legislation encourages voluntary information sharing about cyberthreats between the private sector and the Department of Homeland Security. One of the key differences in the bills is that the NCPA Act only authorizes sharing with the Department of Homeland Security while the PCNA provides companies the flexibility to choose to share cyberthreat indicators or defensive measures with a number of different government agencies. Companies receive authorization and liability protection for sharing with the Department of Justice (including the Federal Bureau of Investigation), the Department of Commerce, the Department of the Treasury, the Office of the Director of National Intelligence, the Department of Homeland Security, and the Department of Energy. (CONTINUED ON PAGE 2) 2015 ISACA. ALL RIGHTS RESERVED

2 Business impact: Under the PCNA, companies can choose to share cyberthreat information with the federal agency to which they are most closely tied. Thus, for example, banks can share cyberthreat information with the Department of the Treasury, and power plants can share with the Department of Energy, etc. In two Statements of Administration Policy, President Obama offered support for the two bills while simultaneously expressing some reservations about the bills sweeping liability protections. President Obama expressed some reservations about the bills sweeping liability protections EXPERT COMMENT George W. Welles, Senior Fellow, Technological Leadership Institute (TLI) University of Minnesota, comments that the United States needs a comprehensive, widely supported, clearly understandable national cyber security policy. The currently proposed legislation represents only a limited, somewhat flawed attempt to resolve a small piece of the overall challenge. [This comment represents only the personal view of George W. Welles and does not reflect the opinions or positions of the University of Minnesota or the other entities with which he is involved.] Action Sports Photography / Shutterstock.com PROTECTING CYBER NETWORKS ACT (PCNA) The Protecting Cyber Networks Act enables private companies to monitor their networks and to voluntarily share cyberthreat indicators with one another and with the federal government. Specifically, the bill encourages sharing of cyberthreat indicators and defensive measures: R Between private companies R From private companies to the federal government R From the federal government to private companies Under the bill, a cybersecurity threat is defined as an action, not already protected by the First Amendment, on or through an information system that may result in an unauthorized effort to adversely impact the security, confidentiality, integrity, or availability of an information system or information that is stored on, processed by, or transiting an information system. CONGRESSIONAL COMMENT Lynn Westmoreland, Chair of the NSA and Cybersecurity Subcommittee (R-GA), noted that Cyberterrorism is the new battlefield, and adapting to this warfare is crucial to eliminating these threats. With the government and private sector working together, we can ensure that America remains on the offense against future cyberattacks. Cyberthreat indicators include information necessary to describe or identify malicious reconnaissance, a method of defeating a security control, a security vulnerability, a method of causing a user with legitimate access to an information system to unwittingly enable the defeat of a security control, malicious cyber command and control, the actual or potential harm caused by an incident, or any other attribute of a cybersecurity threat ISACA. ALL RIGHTS RESERVED CSX SPECIAL REPORT: PAGE 2

3 Preventing, Detecting, Analyzing, Mitigating Cybersecurity Threats The bill authorizes companies to monitor and employ defensive measures on their own information systems networks and those of others, such as their customers, with authorization and written consent, for cybersecurity purposes. Comment: The bill does not authorize the monitoring of systems for any other purpose, nor may companies operate offensive or destructive measures. Notwithstanding any other federal or state law, the bill also authorizes the sharing and receipt of cyberthreat indicators and defensive measures, and allows organizations receiving shared information to use it to monitor their information system or operate additional defensive measures. Cyberthreat indicators and defensive measures may, but are not required to, be shared with the federal government, but the bill does not encourage sharing information directly with the Department of Defense, including the National Security Agency. Moreover, the bill also does not authorize the federal government to conduct surveillance of any person. The bill stipulates that any organization monitoring an information system, operating a defensive measure, or sharing or receiving a cyberthreat indicator is required to implement appropriate security controls and to take reasonable efforts to assess and remove, as necessary, any personal information reasonably believed to be unrelated to the threat. An organization s ability to receive liability protection is contingent upon its adherence to these requirements. Comment: The bill takes extra steps to protect personal information by also requiring the federal government to assess any threat indicators it receives to ensure that they do not contain personal information unrelated to the threat. If so, the government is required to remove that information, and can be held liable for intentionally failing to do so. Business Impact: Information sharing within the same industry provides those participating in that industry or sector advantages in understanding industry-specific threats, and may enhance the ability of that industry to develop best practices to meet threats. Beyond that, there is a cost to members of a particular industry in developing defenses and capturing malicious activity as well as the cost of sanitizing information to be sent and shared within that sector. EXPERT COMMENTS Wm. Arthur Conklin, PhD, College of Technology, University of Houston, comments that while we need some laws, when we over-reach, or over generalize, we create laws with unintended side effects. We need a sharing law that allows sharing of cyber security information between parties and provides protections against recrimination. Bottom line sharing should be protected, not driven or mandated. George W. Welles, Senior Fellow, Technological Leadership Institute (TLI) University of Minnesota, believes that while there is a strong need for government business information sharing, the bills appear to raise serious personal privacy concerns. Based on past behavior, he does not believe business organizations have the knowledge, capability and discipline to reliably de-personalize their data before submitting it to federal agencies and other interested parties. [This comment represents only the personal view of George W. Welles and does not reflect the opinions or positions of the University of Minnesota or the other entities with which he is involved.] Business Impact: The bill also includes an amendment directing the Small Business Authority to provide assistance to small businesses to monitor information systems, operate defensive measures, and share and receive cyberthreat indicators ISACA. ALL RIGHTS RESERVED CSX SPECIAL REPORT: PAGE 3

4 Sharing of Information with the Federal Government In order to consolidate cyberthreat information received, the bill establishes a Cyber Threat Integration Center (CTIC) within the Office of the Director of National Intelligence. Under the PCNA, the CTIC will be the primary organization within the federal government for the analysis and integration of cyberthreat intelligence, ensuring that all appropriate parties within the government are informed of and able to respond to threats, and coordinating intelligence activities across departments and agencies. The CTIC will also conduct strategic cyberthreat intelligence planning for the federal government. The bill directs the White House and Attorney General to develop policies for the receipt and protection of information by the federal government. These procedures must ensure that information is shared in real time with appropriate federal entities, include audit capability, and authorize sanctions for those who misuse such information. The Attorney General s guidelines will limit the impact on privacy and civil liberties of actions taken by the federal government by creating requirements to safeguard personal information and limit its receipt, retention, use, and dissemination. Business Impact: If a department or agency willfully violates the privacy and civil liberties guidelines developed by the Attorney General, the U.S. can be held liable to those injured by the violation. An organization that chooses to share information with the federal government does not waive any applicable privilege or protection provided by law, including trade secret protection. Threat indicators or defensive measures shared will be considered commercial, financial, and proprietary information, and information may be retained and used by the federal government only for the specific purposes of protecting information systems, identifying threats, responding to threats, and preventing and investigating any offense arising from such threats. Sharing of Information by the Federal Government The bill also includes provisions for the sharing of cyberthreat intelligence by the federal government with the private sector, non-federal government agencies, or state, tribal, or local governments. The Director of National Intelligence will work with other federal agencies to create procedures that: n ensure that the government can share information in real time; n incorporate existing processes for information sharing, including sector-specific information sharing and analysis centers; n include guidelines for notifying entities of threat indicators shared in error; n require federal entities receiving cyberthreat intelligence to implement appropriate security controls to prevent unauthorized access; and n require federal entities, prior to sharing information, to review indicators to determine whether they contain personal information unrelated to threats and to remove such information ISACA. ALL RIGHTS RESERVED CSX SPECIAL REPORT: PAGE 4

5 Liability Protections The sharing of information is completely voluntary under the PCNA, but companies who share cyberthreat indicators or defensive measures will receive legal liability safeguards if they comply with the appropriate privacy protections. The bill maintains that no cause of action shall lie or be maintained in any court against any entity for the monitoring of information systems, nor for the sharing or receipt of cyberthreat indicators or defensive measures, if the information is shared in accordance to the procedures outlined in the bill. Comment: It is unclear whether the liability protections offered in the bill will be sufficient enticement for businesses to participate in the program. Many companies, however, view liability protection as a minimum requirement to take part in any information sharing arrangement. NATIONAL CYBERSECURITY PROTECTION ADVANCEMENT (NCPA) ACT Like the PCNA, the NCPA Act also encourages the private sector to share information with the federal government by providing liability protections. The NCPA Act names the Department of Homeland Security s National Cybersecurity and Communications Integration Center (NCCIC) as the central location where cyberthreat indicators and defensive measures may be shared. A cyberthreat indicator is defined in the NCPA Act as technical information that is necessary to describe or identify: n an informed method for probing, monitoring, maintaining, or establishing network awareness of an information system for the purpose of discerning technical vulnerabilities; n a method for defeating a technical or security control of an information system; n a technical vulnerability, including anomalous technical behavior that may become a vulnerability; n a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; n a method for unauthorized remote identification of, access to, or use of an information system or information that is stored on, processed by, or transiting an information system that is known or reasonably suspected of being associated with a known or suspected cybersecurity risk; 2015 ISACA. ALL RIGHTS RESERVED CSX SPECIAL REPORT: PAGE 5

6 n the actual or potential harm caused by a cybersecurity risk, including a description of the information exfiltrated as a result of a particular cybersecurity risk; and/or n any other attribute of a cybersecurity risk that cannot be used to identify specific persons reasonably believed to be unrelated to such cybersecurity risk, if disclosure of such attribute is not otherwise prohibited by law. CONGRESSIONAL COMMENT John Ratcliffe, Chair of the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee (R-TX) commented that Ultimately, [this bill] will arm those who protect our networks with valuable cyber threat indicators that they can use to fortify defenses against future cyber intrusions while protecting the personal information of Americans. The NCPA Act defines a defensive measure as an action, device, procedure, signature, technique, or other mechanism applied to an information system or information that is stored on, processed by, or transiting a system that detects, prevents, or mitigates a known or suspected cybersecurity risk, or incident threat or security vulnerability and any attribute of hardware, software, process, or procedure that could enable and facilitate the defeat of a security control. Comment: Any measure that destroys, renders unusable, or substantially harms an information system or data not belonging to the entity operating the measure is not considered a defensive measure under the legislation. The NCPA Act also authorizes the establishment of a National Cybersecurity Preparedness Consortium (NCPC) made up of university partners and other stakeholders. The purpose of this consortium is to provide training and technical assistance to state and local officials in cyber security preparation and prevention of cyber-attacks. Information Sharing with the Federal Government The NCPA Act designates the NCCIC as the lead civilian interface to receive cyberthreat information and establishes voluntary information sharing procedures. Pursuant to the legislation, the NCCIC may only use the information it receives to prevent and respond to cyber-attacks and to enhance the United States cyber defenses. Comment: In response to privacy concerns, the bill specifically states that shared information cannot be used for any law enforcement or surveillance purposes. As part of the voluntary sharing procedures, a standard sharing agreement will be available on the Center s website for use by the private sector or state and tribal governments. In addition, the Center will negotiate a non-standard agreement at the request of a non-federal entity if deemed appropriate under the particular circumstances. In coordination with industry and other stakeholders, the Undersecretary for Cybersecurity and Infrastructure Protection will develop capabilities based on standards and widely used approaches in the information technology industry that support and rapidly advance the development, adoption, and implementation of automated mechanisms for the timely sharing of cyberthreat indicators and defensive measures to and from the Center and with each appropriate federal agency ISACA. ALL RIGHTS RESERVED CSX SPECIAL REPORT: PAGE 6

7 Liability Protections In addition to the NCPA Act s grant of liability protections for the voluntary sharing of cyberthreat indicators and defensive measures with the NCCIC, private companies are also granted liability for conducting network awareness of their own information systems. The NCPA Act also ensures that personal information is removed before sharing cyberthreat indicators. Entities must make reasonable efforts to remove information that can be used to identify specific persons unless they are related to a cybersecurity risk or incident identified at the time of sharing. Comment: Neither House bill defines reasonable efforts; thus, it is unclear what legal standard will be used in cases where personal identification information is shared. In addition, before the NCCIC shares information received from the private sector with others, it must perform a review and appropriate redaction of personal information that is unrelated to the cybersecurity risk being further shared. SUNSET Both the NCPA and the PCNA contain sunset provisions that cause the acts and their amendments to terminate seven years after their enactment. EXECUTIVE ORDER AUTHORIZES ECONOMIC SANCTIONS IN RESPONSE TO CYBER-CRIME The White House has also recently acted to combat cyberthreats. Earlier this month, President Obama declared cyber-crime a national emergency and signed an executive order authorizing new sanctions against cyber attackers. The President s action allows the Treasury Department to impose sanctions against individuals and groups deemed responsible for or complicit in malicious cyber-attacks that constitute a significant threat to national security or the economy. The order also covers those who willingly receive or use stolen trade secrets. Introducing CSX Skills-Based Cybersecurity Training and Performance-Based Certifications CSX is your premier source for education, training, research, industry events and community and now, for cutting-edge certifications and training courses. Our new, skills-based programs are designed to help you build, test and showcase your skills in critical areas of cybersecurity. Visit for more information ISACA. ALL RIGHTS RESERVED CSX SPECIAL REPORT: PAGE 7