Cybersecurity Act of 2015 – Business Compliance is Optional?

The US Cybersecurity Act of 2015 introduced new initiatives that will strengthen the Federal Government’s cybersecurity defenses, and furthers collaboration between Government and Business in the fight against cyber threats, although under this law, Business is not obligated to comply. SCS suggests why the private sector should pay attention and participate in the voluntary cyber threat information sharing process.

As part of a $1.1 trillion omnibus spending bill (H.R. 2029) that President Obama signed into law on December 18, 2015, The Cybersecurity Act of 2015 (Division N), seeks to broaden relationship between private enterprise and the Federal government, in the fight against cyber threats.  While the new law clearly defines requirements for the Federal government to take action to improve cybersecurity defenses and information sharing, the participation of MOST private enterprise will be voluntary.  Of course, the law also expands authority of Homeland Security to take decisive action to protect the security interests of the Nation, addressing both external and insider threats, both foreign and domestic.

Congress has been wrestling with this legislation since mid-2014. The debate carried into the private sector, where leading technology companies (Apple, Twitter and Dropbox) and privacy rights advocates argued that the law is a step in the wrong direction, allowing the Federal government more access to the privacy data of its citizens.  There is certainly precedence for the privacy concerns (Read: The Patriot Act and earlier attempts to pass cybersecurity legislation – both successful and failed).  Earlier versions of this bill called for law enforcement backdoors to encryption technologies, which were fortunately scuttled.[1]  Conversely, the telecommunications and banking industries championed the bill.  The law expands their rights to investigate and voluntarily report to the Feds the existence of cyber threat indicators within their networks and information systems without fear of legal repercussion.[2]

Throughout the debate that led to the final language adopted as law, opposition to the Cybersecurity Act of 2015 centered on whether the US Federal Government is the largest privacy threat to individuals and organizations.  Privacy advocates have successfully achieved protections in the Act that:

1. minimize access of the Federal government to privacy data; and
2. define use limitations for the information collected through voluntary sharing; the Feds can only use the information for cybersecurity purposes and nothing more.

Any entity (Federal or non-Federal) that reports the existence of cyber threat indicators must remove privacy data prior to sharing it with Homeland Security.

I might argue that hackers and cybercriminals certainly pose a greater threat than the U.S. government.  The President, Congress, the Department of Homeland Security, NSA and FBI all bear responsibility to protect the country’s physical, financial and cyber interests, and they have to take action.  As I have already pointed out, the lengthy debate caused significant delays to the ultimate enactment of the legislation. The government now comes across as reactionary, since much of its mandated content has been common commercial practice for years.

In fact, many Federal agencies have actually already implemented a number of the requirements, in line with NIST 800-53 standards, to varying degrees.  For instance, multi-factor authentication has been a reality for a number of Federal agencies and their contractors for years.  However, until the recent Federal Cybersecurity Sprint at the end of 2015, some notable agencies, including the Office of Personnel Management, only relied on usernames and passwords to access their systems environments.[3]   Now, in accordance with the Act, the Department of Homeland Security will have to corral independent agency efforts into a more cohesive, government-wide cybersecurity architecture, and enforce the common NIST standards across ALL Federal agencies, at least for those requirements included in this round of legislation.[4]

Security industry press has long called for a strong partnership between government and commercial enterprise to strengthen cybersecurity.[5]  The voluntary sharing of information is a step in the right direction to fight cyber criminal activity.  The opportunity for commerce and privacy advocates to participate in the discussion should continue to influence not only the implementation of this law, but future legislation as well.

So, why should a non-Federal entity voluntarily share cyber threat indicator information with the Federal government?

• Most organizations subscribe to US-CERT notifications as part of proactive threat monitoring programs.  Now the government is asking for notifications of security threats detected by non-government entities as a return of favor, so they can respond to and alert all stakeholders more expeditiously. As cybersecurity concerns grow in conjunction with the frequency and severity of attacks, it is incumbent on all parties (commercial, government and individual) to work together to protect our shared National interests.
• The Act explicitly protects your organization from any legal liability associated with the sharing of cyber threat indicator information with the Federal government, provided you de-identify the data and submit the information through the Department of Homeland Security’s portal, which has not yet been launched as of this posting.
• If you are a Federal contractor operating an information system on behalf of the Federal government, or you process Federal data, you should actively report on, and take defensive measures against cyber threat indicators. If your system interconnects to a Federal information system, you could possibly operate an attack vector that a would-be cybercriminal could use to infiltrate Federal systems.  This is precisely what occurred in June, 2015 when cyber attackers used KeyPoint Government Solutions’ systems to breach the Office of Personnel Management  and gain access to data of 21.5 million individuals.[6]
• As a Federal contractor, your organization likely drives much of its revenue from the services you provide to the government. While unlikely, a large-scale cybersecurity event could potentially affect availability of Federal services, including their payment processing systems.
• If your organization is accredited by a Federal Agency as complying with NIST 800-53, then identification of a Cyber Threat Indicator is not a negative finding of your organization’s information security posture. On the contrary, your early identification of a potential threat indicates that your systems and controls are working as designed.
• Finally, “To share current security-related information, including threats, vulnerabilities, and incidents” in accordance with ‘organizational missions/business functions’…’consistent with applicable federal laws’ is a requirement of NIST 800-53 control PM-15 (Contacts with Security Groups and Associations). As a Federal contractor, it will probably be a good idea to report that your organization “shares Cyber Threat Indicator” information through the DHC Cybersecurity portal.

For a detailed description of the key points of the Cybersecurity Act of 2015, please see my companion article, “An InfoSec  Manager’s Guide to the Cybersecurity Act of 2015”.

[1]Greene, Robyn.  “The Knock-Down, Drag-Out Fight Over Cybersecurity Legislation,” Slate.com, January 15, 2016. http://www.slate.com/articles/technology/future_tense/2016/01/how_the_privacy_community_made_cybersecurity_legislation_better.2.html

[2] Thielman, Sam, “Senate Passes Controversial Cybersecurity Bill Cisa 74 to 21,” 10/27/2015, http://www.theguardian.com/world/2015/oct/27/cisa-cybersecurity-bill-senate-vote

[3] “U.S. Federal “Cybersecurity Sprint” Boosts Strong Authentication Adoption in Government’s IT Systems,” 9/8/2015, http://www.isrus.com/2015/09/cybersecurity-sprint/.

[4] For a detailed description of the key points of the Cybersecurity Act of 2015, please see my companion article, “An Information Security Manager’s Overview of the Cybersecurity Act of 2015”.

[5] https://icps.gwu.edu/private-sector-reluctant-partner-cybersecurity;

[6] “U.S. Federal “Cybersecurity Sprint” Boosts Strong Authentication Adoption in Government’s IT Systems,” 9/8/2015, http://www.isrus.com/2015/09/cybersecurity-sprint/.