What Information Does a Business Share with an ISAO?
Small and Midsized businesses are considerably concerned about their interaction with an ISAO and the sharing of information that takes place. The concern, justifiably so, centers around the type of information shared, culpability for a hack if the information is released and the privacy of the information that is shared.
In a nutshell, business owners want to be assured that they will be protected against government regulatory actions if they agree to share cyber-attack related information to increase the cybersecurity of industry overall.
The CISA law was written to address each of those concerns in order to incentivize businesses to join an ISAO. Remember, the Act was created to increase cybersecurity protection for ALL of industry through the transmission and dissemination of cyber threat indicators amongst industry and if possible, the USG. So, the government went thru great lengths to ensure that companies would want to join and in fact, Section 103.a.1-5 describes the various means the USG wants to share data in order to improve cybersecurity.
The information required pertains to the attack only, not the personnel, data or technology compromised.
The CISA law goes very far define a “cyber threat indicator.” In section 102.6 of the document, there is a detailed description of what the USG considers threat related data. There are several offensive descriptions of threats from the unapproved scanning or “malicious reconnaissance” of computers, to malicious cyber commands and controls, to proven methods for social engineering employees or users to access proprietary information. There are also attempts to identify vulnerabilities for dissemination such as the description of a known tool or a discovered method to defeat or exploit security controls. Again the intent is to quickly receive data on existing threats and report that to industry. There is no need to provide the ISAO or the USG with data such as the persons involved, the data or technology that was transferred, or any other proprietary data.
There is one point that needs to be clarified for the ISAO member. In reading the document, we find that fact, 102.6.(F), the government considers “the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat” a cybersecurity indicator. The end result is to understand the hack and the damage caused such as stolen technology, personal data, or use of business computers as botnets. Regarding the description of information exfiltrated, the business is not required to provide any detailed information regarding the attack i.e. the actual information, IP or trade secrets that were stolen, but the type of information such as IP, technology, classified/confidential information and/or personally identifiable information. It is assumed that descriptions of the stolen information allows the ISAO or DHS to more quickly identify those industries that are susceptible to the attack and notify them.
A look at the reporting format to the U.S. Computer Emergency Response Team (US-CERT) is reflective of the information that the ISAO would provide to the National Cyber Communications and Information Center (NCCIC). This report, found at us-cert.gov, shows that the information other than the name and POC information (which would be the ISAO to maintain anonymity) would be the generic information asked by any IT Incident Response Team to a hack. Information about the type of the hack, the domain, IP address or MD5 hash, defensive measures in play and other vulnerabilities are required, and this information, especially if shared with an ISAO is not directly attributable to a company and assists in getting the alert to industry faster. There are no requests for the information hacked or to supply any computer log files related to the event.
You are NOT required to share cyber threat indicators with the USG.
It is inaccurate to depict ISAO membership as being required to share information with DHS; in fact, the law provides for the sharing between “non-federal” entities as being covered. The law states that a “non-Federal entity” means any private entity, non-Federal government agency or department, or State, tribal, or local government. Thus, ISAO members may elect to not share information with DHS, though it is recommended, as long as the information is properly filtered and sanitized of proprietary or personal data. The reason it is recommended is nothing more than to increase the validity of any claim the business may have that it is sharing its information and to increase the perception of cybersecurity in case of any inadvertent public release of the attack at a later date.
Your data could be used by Law Enforcement in specific cases.
The numerous and valuable protections under the CISA act are afforded to businesses that not only share cyber threat data so that they can mitigate cybercrime, but any data that a company finds that indicates that one of three specific threats or offenses could occur:
- A specific threat of bodily or economic harm, or the use of a weapon of mass destruction.
- An indicator that a threat to a minor including sexual exploitation or a threat to physical safety.
- Or an indicator that personal identity fraud, espionage or theft of intellectual property would take place.
What the government is saying here is that, if a company finds evidence that the above threats are possible, it can use the ISAO to transmit that data through the approved Automatic Information Sharing (AIS) system to Federal authorities for their action. Under the law, the member can also send an email to the appropriate address reporting the discovery. However, in this case, the sharing of information between non-entities and not the Federal Government may disallow critical CISA coverages to be invoked as the data was not shared with a Law Enforcement entity for the ability to mitigate threats. It is recommended that sharing such data through an ISAO is accomplished since those protections would be of great value to any business that inadvertently became involved in one of those crimes through it employees.