Information Sharing for the Information Age

The Act seeks to strike a balance between these seemingly (though not entirely) contrary interests: protecting privacy while providing important tools to those charged with safeguarding corporate interests, including customers' privacy, and critical civic infrastructure. Coupled with the continuing effort to establish and mature information sharing and analysis centers and organizations (ISACs and ISAOs, respectively), the Act is an important step toward allowing those charged with defending against cyber attacks to do what those engaged in cyber attacks have done for a very long time: learn from each other.

Present State of Information Sharing

The concept of a formal information-sharing relationship between the government and the private sector is not new. In fact, the organizations at the core of the cybersecurity information-sharing infrastructure date back nearly two decades. See, The White House, “Presidential Decision Directive 63: Critical Infrastructure Protection,” May 22, 1998, (establishing industry-sector specific ISACs); and Homeland Security Act, P.L 107-296 '212(5), 6 U.S.C. '131(5) (defining ISAOs). Despite long-running support for an open dialogue between government and industry, a lack of national strategy has led to a hodgepodge of sharing organizations and ad hoc lines of communication. For instance, there are multiple federal entities involved in cyber information sharing, both within the federal government and with industry, including the National Cybersecurity and Communications Integration Center (NCCIC), the Cyber Threat Intelligence Integration Center (CTIIC), the National Cyber Investigative Joint Task Force (NCIJTF), InfraGard, and the National Cyber Forensics & Training Alliance (NCFTA). ISACs have developed over the years as clearinghouses for information for various industry sectors, including financial services, legal services, and the defense industrial base.

Perhaps the most common form of communication at the moment, however, is far more informal. Government employees (including two of the authors) often enter private industry when they retire from government service, bringing with them contacts within the law enforcement and intelligence communities that serve as critical communication points for cyber incident response. Corporate security, compliance, and general counsels' offices and law firms are each filled with former agents and prosecutors who, in the absence of a more formal system, serve as vital communication links.

A Long Road to Passage

Cybersecurity gained the attention of Congress at least 10 years ago when Sen. Patrick Leahy first introduced the Personal Data Privacy and Security Act of 2005, S. 1332 (109th). That bill sought to improve protection for consumer information, establish a national set of breach notification standards, and set minimum security standards for entities that maintain personally identifiable information (PII). It failed to pass the full Senate, both when first introduced and in subsequent Congresses when it was raised again.

Efforts to build a national, structured system for handling the cyber threat, however, continued. In 2009, President Barack Obama established the NCCIC to provide a defined organization “to bolster information sharing and incident response.” Presidential Policy Directive No. 1, “Organization of the National Security Council System” (Feb. 13, 2009). And, in 2011 and 2012 respectively, the Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 3523 (112th), was introduced in the House and the Cybersecurity Information Sharing Act (CISA), S. 2102 (112th) (reintroduced in 2015 as S. 754 (114th), was introduced in the Senate. Neither bill received Congress's approval and there ensued years of debate over their contents and that of two more House bills introduced in early 2015 covering essentially the same topics: the Protecting Cyber Networks Act, H.R. 1560 (114th), and the National Cybersecurity Protection Advancement Act of 2015, H.R. 1731 (114th).

While each of these bills enjoyed industry support, they prompted concerns about privacy and government action. The concerns ranged from fears that the government would use the bills as an end run around the Fourth Amendment to obtain evidence for criminal prosecutions, to the National Security Agency's use of the data for surveillance purposes, to the government's inability to effectively secure the information it received. Industry representatives also expressed concerns that information revealed as part of the process would prompt regulatory action, be discoverable under Freedom of Information Act laws, vitiate trade secret protections, or even constitute a violation of antitrust laws. Even the Department of Homeland Security (DHS) voiced opposition to CISA, arguing that it failed to require, or even provide the time to permit, the scrubbing of unnecessary PII from company data before sharing it with other entities. See, “Remarks of Sen. Al Franken on the Cybersecurity and Information Sharing Act of 2015.”'

The Act

The Cybersecurity Act attempts to resolve all of these concerns while providing a central location to focus information sharing and permitting the free flow of critical intelligence between government and industry. At its core, the Act requires the Attorney General, Director of National Intelligence, and the Secretaries of Homeland Security and Defense to jointly create and maintain a program permitting private and government entities to share cybersecurity information, threat indicators and defensive measures. The heart of the concept, set forth in '105 of the Act, is for DHS to establish a central, sole entry point for cybersecurity information shared with the federal government (with an exception for information required to be shared between an entity and its regulator). By providing a common point of contact, the Act seeks to move beyond the current system of informal communications mixed with formal sharing structures to ensure that all relevant parties are informed.

At the same time, the Act seeks to continue a path toward robust industry information-sharing groups. Pricewaterhouse Cooper (PwC) and the White House have been working together to help industry establish ISAOs, where key industry players can come together to help each other protect against cyber threats. A major stumbling block in that effort has been the government's inability to facilitate information sharing given the classified (and often over-classified) nature of the information in its hands. The Act seeks to overcome that barrier in two ways. First, it mandates that the new program must permit the sharing of classified information with private industry employees who hold security clearances, thereby limiting legal liability for those who share classified data under the Act. Second, it encourages the declassification of cybersecurity information so that it can be shared with a broader audience. Thus, Congress has sent a signal that those classifications should be revisited. Collectively, this lays the foundation to finally open a two-way flow of information between industry and government.

Much of industry's concerns are addressed in the Act. For instance, it provides an exemption from antitrust laws for the sharing of cybersecurity information and defensive measures between private companies, specifies that sharing information under the Act will not act as a waiver of trade secret protection, and exempts from FOIA disclosure information provided by industry to the government. In addition, the Act expressly permits, notwithstanding any other provision of law (presumably including the Wiretap Act, 18 U.S.C. ”2510 et seq.), private entities and their third-party vendors to perform network monitoring and the operation of defensive measures applied to the entities' networks for the purpose of cybersecurity.

An open question, however, is whether the Act's promise that information sharing with the government “shall not constitute a waiver of any applicable privilege or protection provided by law” is sufficient to protect such disclosures from a waiver of attorney-client privilege. That privilege is not just a creature of federal law, but of state law as well, and it is not clear that Congress can, or did, preempt state law in its formulation. That said, in the ordinary situation, the threat indicators and defensive measures contemplated by the Act can likely be shared without revealing the type of legal advice and work product covered by the privilege.

The Act also attempts to answer privacy concerns. In an apparent response to DHS's concerns about CISA, private industry must review all shared information for PII and remove any such information pertaining to or identifying specific individuals unless that information is directly related to a cybersecurity threat. Those who violate this restriction lose the Act's legal protections, while those who comply are shielded from civil suits arising from their sharing information. The Act also mandates that the information-sharing program set minimum standards for data security surrounding the shared information for both industry and the government. Finally, it provides the organizations that hold the greatest amount of our private information ' the service providers, retailers, and financial institutions that we deal with on a daily basis ' with an important tool to protect that sensitive information.

For its part, the government must maintain the security of the shared information and can only use that information for a purpose related to cybersecurity or to investigations and prosecutions arising from:

'

1. A specific threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction;
2. A serious threat to a minor, including sexual exploitation and threats to physical safety; or
3. An offense arising out of '

'

i. Identity theft and computer fraud;

ii. State secret espionage;

iii. Economic espionage; or

iv. Theft of trade secrets.

A Global Perspective

While the Act itself is focused on establishing a domestic system for information sharing, it has an eye on the next frontier: international cooperation in threat intelligence. The Act calls for DHS to conduct a 180-day study “on the range of efforts underway to bolster cybersecurity collaboration with relevant international partners.” Unfortunately, while there is global demand for information sharing, there are significant obstacles to cross-border sharing networks. Foremost among them are the different legal regimes around the world addressing data privacy and national security. Those differences were only heightened by the loss of the EU data sharing safe harbor provision last year, though the announcement in February of a potential deal to re-establish that protection is a step back in the right direction. See, “The Raising of a Privacy Shield,” in our March 2016 issue. The Act itself is also a step in the right direction by requiring the government to address over-classification of data. We first need to see the U.S. government following through with this in earnest, and we then need to see other countries following suit. Governments need to liberate their information so that the private sector and other governments can benefit.

A First Step Down the Path

The Act is not a panacea. As an initial matter, its mandate that the heads of multiple federal agencies collaborate on the creation of a single information sharing system is ambitious. As the history of the development of just the intra-government information sharing entities has shown, the differing priorities and perspectives of the various interests involved ' from law enforcement to intelligence and defense ' render finding a single approach difficult. At the same time, as opponents of CISA pointed out, information sharing cannot overcome one of the most significant ailments affecting our cyber infrastructure: weak security standards across many sectors of the economy. And the information-sharing community established by the Act is a voluntary enterprise, creating the risk that some may choose to be consumers of information while depriving the larger group of their critical insights. The Act, however, does not pretend to be a magic bullet to end all cyber crime. Nor does it answer all of the critics or provide every protection that industry sought.

It is, however, an important step in the right direction. It removes several barriers that have held back the development of a protected space where those on the front lines of cyber defense ' both in industry and government ' can effectively help each other protect our country, economy, and personal information from attack. PwC has been and remains deeply committed to the development of ISAOs and furthering the maturity of ISACs, the formal structures for that information-sharing space, because we believe that information is not only the prime target of cyber attacks, but a powerful instrument in preventing them. PwC will soon be issuing its second report to the White House emphasizing this point and capturing the views of the many who have joined us in this endeavor. See, David Burg & Sean Joyce, “Study and Considerations on Information Sharing and Analysis Organizations” (July 2015). By allowing those who are threatened by cyber attack to learn from each other's experiences, the Act marks an important step forward in our collective struggle against the cyber threat.

It is our fervent hope that industry participants take advantage of this opportunity to participate in the ISAOs and ISACs and share what they learn from their own defensive efforts. Cyber crime is not an isolated issue affecting only certain institutions. It affects us all, and only by acting together can we gain a measure of security.

David Burg, a principal at Pricewaterhouse Cooper (PwC), leads the firm's global and U.S. cybersecurity practice. Sean Joyce, former FBI deputy director, is a principal of the firm, leader of its financial crimes unit, and chief cybersecurity strategist. Douglas B. Bloom, former assistant U.S. attorney and software engineer, is a director of the firm's cyber crime and incident response practice.