On December 18, 2015, President Obama signed the Cybersecurity Information Sharing Act (CISA) into law in an effort to increase cyber-related threat information sharing between public and private sector entities. Now, in order to mitigate fears that CISA could infringe upon privacy and civil liberties, the Department of Homeland Security (DHS) has released interim guidelines to further explain how the government plans to safeguard the data shared under the new law.
The CISA Privacy and Civil Liberties Interim Guidelines establish privacy and civil liberties guidelines governing the sharing of cyber threat indicators by a federal entity obtained in connection with the activities authorized by CISA.
“We know many cyber intrusions can be prevented if we share cyber threat indicators,” said Homeland Security Secretary Jeh Johnson. “These can include, for example, the subject line of a spear phishing email, or the IP address of the computer from which it originated. Sharing this kind of information in real-time, and swiftly applying defensive measures, will allow both the government and private sector to more effectively prevent attacks.”
In preparing the document, DHS and the Department of Justice consulted with the Departments of Commerce, Defense, Energy, Treasury, and the Office of the Director of National Intelligence.
There are eight guiding principles listed in the interim guidelines. They include transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, and accountability and auditing.
In addition to the privacy and civil liberties interim guidelines, DHS also released the following three documents:
- Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities
- Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government
Lawmakers introduced CISA in response to the massive and unrelenting barrage of high-profile, damaging cyber attacks against public and private sector entities over the past several years. Although tech companies and privacy advocates initially clashed with the government over CISA, DHS believes the new guidelines will provide clarity on how federal entities plan to engage in activities authorized by CISA without compromising privacy rights or civil liberties.
DHS said it welcomes feedback from privacy advocates and the private sector as it continues to develop the final documents ahead of its June 2016 deadline.
“The guidelines issued today are a significant step forward in implementing this important law,” said Johnson.