Interim guidelines to the Cybersecurity Information Sharing Act

Despite the objections of many privacy advocates and security professionals, the Cybersecurity Information Sharing Act (CISA) is now the law of the land.

Slipped into the 2016 federal omnibus spending bill, CISA permits private entities to share information about cyberthreat indicators (CTIs) and defensive measures against cyber attacks, both with each other and with the federal government. 

The purported goal of CISA is to create something like a nationwide alert system for CTIs. If a business believes that it is experiencing a cyber attack, it can provide the threat signatures to the Department of Homeland Security (DHS), which can then blast out that information throughout the country in hopes of keeping the threat from spreading. 

The problem is that there are scant privacy safeguards to prevent private information from being shared through CISA. A private entity that shares information with the government is only required to remove “information that identifies a specific individual” of which it “knows at the time of sharing to be personal information.”

This is a low bar: If the entity doing the sharing isn’t aware “at the time of sharing” that a CTI identifies a specific person, it is not required to de-identify that information before sending it to DHS.

The best way to prevent personal information from falling into the hands of the feds is for non-governmental entities to decline to share it in the first place.

This is where the “Privacy and Civil Liberties Interim Guidelines,” recently released by DHS and the Department of Justice (DOJ), come into play. The Interim Guidelines require that DHS or any other governmental entity receiving information through CISA “shall review” CTIs for personally identifiable information prior to any further sharing within the government, and “destroy … in a timely manner” any remaining personal information.

In other words, the Interim Guidelines don’t let DHS simply assume that whoever shared the CTI did its job and removed personally identifiable information, but requires DHS — and any other federal entity that subsequently receives that information — to re-review and remove any extant personal information before sharing it further.

While a step in the right direction beyond CISA’s baseline, the Interim Guidelines aren’t perfect. Personal information only has to be removed if it is “not directly related to a cybersecurity threat.” Perhaps more troubling, the Interim Guidelines don’t require the destruction of personal information unless it is “known not to be directly related to uses authorized under CISA.” This creates a potentially vast loophole for the feds, as “uses authorized under CISA” include a number of law enforcement activities unrelated to cybersecurity, such as “investigating [and] prosecuting … sexual exploitation and threats to physical safety.”

As their title suggests, however, the Interim Guidelines are just that: interim. DHS and DOJ will be releasing the final guidelines sometime around mid-May 2016 and periodically revising them thereafter. One can hope that the final guidelines would look at privacy holes and either patch them completely or at least give more specific guidance as to situations that warrant the sharing of personal information

That being said, the best way to prevent personal information from falling into the hands of the feds is for non-governmental entities to decline to share it in the first place. CISA doesn’t require that private entities do much to protect their users’ information, but it doesn’t prevent them from doing so either. They can take extra steps to ensure that any information shared through CISA has been scrubbed for personally identifiable information, or they can simply decline to share information through CISA entirely.

Private companies that value their users’ trust would be wise to take one of these steps, irrespective of what the final or Interim Guidelines provide.