The Department of Homeland Security and Department of Justice have issued guidance to non-federal entities, including ISPs, on how to share cyber threat information under the Cybersecurity Information Sharing Act (CISA) of 2015.
The bill (now law), supported by cable operators and other ISPs, makes it easier for companies to share cyber threat information with government and vice versa, including providing liability protections from lawsuits if sensitive personal information was inadvertently shared. The sharing is voluntary, so the liability protection is a way to incentivize participation. It passed as a rider on the omnibus budget bill that passed in December.
The guidance includes examples of what qualifies as a "threat indicator" that can be shared, what types of information are protected and unlikely to be directly related to a security threat, what defensive measures can be taken, and what protections non-federal entities get.
Among the info that would be a threat indicator and could be shared are:
"A company could report that its web server log files show that a particular IP address has sent web traffic that appears to be testing whether the company’s content management system has not been updated to patch a recent vulnerability.
"A security researcher could report on her discovery of a technique that permits unauthorized access to an industrial control system."
"A software publisher could report a vulnerability it has discovered in its software.
"A managed security service company could report a pattern of domain name lookups that it believes correspond to malware infection."
"A manufacturer could report unexecuted malware found on its network.
"A researcher could report on the domain names or IP addresses associated with botnet command and control servers.
"An engineering company that suffers a computer intrusion could describe the types of engineering files that appear to
have been exfiltrated, as a way of warning other companies with similar assets.
"A newspaper suffering a distributed denial of service attack to its web site could report the IP addresses that are sending malicious traffic."
Acceptable defensive measures against attacks that can be shared could include:
"A computer program that identifies a pattern of malicious activity in web traffic flowing into an organization.
"A signature that could be loaded into a company’s intrusion detection system in order to detect a spear phishing campaign with particular characteristics.
"A firewall rule that disallows a type of malicious traffic from entering a network.
"An algorithm that can search through a cache of network traffic to discover anomalous patterns that may indicate malicious activity."
Among the information protected under other privacy rules that would not appear to be directly related to cyberthreats and thus not necessary to share include protected health information, human resource information, purchase or preference history or credit history, education history, financial information, property ownership, identifying information of children under 13.
Chris Feeney, president of the tech policy division of the Financial Services Roundtable (http://fsroundtable.org/members/), comprising banks, insurance companies and other financial institutions that backed the bill, called the advisory "a positive step toward enabling the private sector to identify and share cyber threat indicators with the federal government, which will help better protect consumers and our nation’s security."
