Cyber-attacks within the US have been increasing annually in both frequency and sophistication in recent years. With no sign of this trend reversing, and after highly public and embarrassing attacks earlier this year against numerous companies, and US Government Agencies, law makers are stepping in to help bolster defenses for the next big attack.
On October 27, 2015, the Senate passed the Cybersecurity Information Sharing Act, legislation that will require public and private entities to share information regarding cybersecurity threats and breaches. Originally introduced in July 2014,1 there was much debate on how the Senate should pass the Cybersecurity Information Sharing Act (CISA) and the over 20 amendments brought to the bill before its final passing. Private and public entities, organizations and individuals have argued that sharing information is not enough to prevent future cyber breaches and by sharing cyber-threat related data, user privacy may be compromised. However, as reiterated by Senator Richard Burr, action needs to be taken now to combat increasing cyber-attacks and reinforce defense measures.2
The industry is expecting the Senate bill to be reconciled with the National Cybersecurity Protection Advancement Act of 2015 which was passed by the House of Representatives in April of 2015. This should in our view allow for a unified approach to combating cyber-attacks.
Objectives of CISA
The intent of this act is to promote the real-time sharing of Cyber-Threat Indicators and Cyber-Threat Defenses between government agencies, law enforcement, and private entities. The goal of CISA is to combat sophisticated international cyber-threats by sharing details of the threats, along with defensive strategies to mitigate risks to the greater public. The information to be shared may be either classified or unclassified, but contributing entities must make every effort possible to remove, and safeguard, all personal, private data that is not relevant to the cyber-threat.3
CISA can help entities prepare for cyber-attacks by informing them on reported attacks and breaches experienced by other parties, and the methodologies used by peers to defend against them.4 In our view, the rationale behind this is to create synergies to help benefit all entities and improve their defenses. By implementing real-time, or near real-time reporting, entities should be able to more quickly respond and protect their computer systems, therefore lessening the issues and costs associated with compromised data and security breaches.
CISA will also seek to protect Personal Identifying Information (PII) by requiring companies to remove this data as best as possible, prior to sharing information related to the cyber-threat.5
- Organizations should begin to think of the reporting requirements necessary to comply with CISA and start to sort through which data may be relevant for information sharing. Entities will be given liability coverage under CISA and any data or information shared will remain proprietary to the entity sharing information but careful consideration should be given to share only what is legally necessary.6
- The appropriate federal entities will receive cyber-threat related data which will then be shared with non-federal entities as well.7 Organizations should begin to consider how cyber-threat related data will be assimilated once received. Lessons learned from the cyber-threat indicators and defensive measures used in a particular attack or breach should be deciphered rather quickly, especially if there are similar attacks across different entities within a short span of time.
- Entities that have not taken the step to implement monitoring and surveillance initiatives should quickly mobilize on how to:
- I. Identify vulnerabilities, threats or indicators
- II. Capture data related to cyber-attacks or threats
- III. Quickly gather intelligence and/or conduct analysis on cyber-attack or threat
- CISA will likely specify the amount of time entities receiving information are able to retain cyber-related data. Organizations should create policies and procedures to comply with the retention and dissemination clause of CISA.
With the passing of the Cybersecurity Information Sharing Act, we expect additional guidance to be published soon to help entities begin the process of sharing information with the appropriate Federal entities. Guidance may be published within the next 60 days and will include the following:8
- Identification of types of information that would qualify as a cyber-threat indicator under this title (Act) that would be unlikely to include personal information or information that identifies a specific person not directly related to a cyber-security threat.”
- “Identification of types of information protected under otherwise applicable privacy laws that are unlikely to be directly related to a cybersecurity threat.”
- “Such other matters as the Attorney General and the Secretary of Homeland Security consider appropriate for entities sharing cyber threat indicators with Federal entities under this title (Act).”
- Cybersecurity Information Sharing Act, Wikipedia. Access at: https://en.wikipedia.org/wiki/Cybersecurity_Information_Sharing_Act
- “Senate considers controversial cyber security bill,” Reuters, October 21, 2015. Access at: http://www.reuters.com/article/2015/10/21/us-usa-cybersecurity-congress-idUSKCN0SE2CC20151021
- “Cybersecurity Information Sharing Act of 2015, S.754” U.S. Library of Congress, Access at: https://www.congress.gov/bill/114th-congress/senate-bill/754/text
Newsletter Contact Person: Craig Unterseher
This blog is intended for general informational purposes only, does not take into account the reader’s specific circumstances, may not reflect the most current developments, and is not intended to provide advice on specific circumstances. Accenture disclaims, to the fullest extent permitted by applicable law, all liability for the accuracy and completeness of the information in this blog and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professional.
Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 358,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives.
Copyright © 2015 Accenture. All rights reserved.
Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
This document is produced by Accenture as general information on the subject. It is not intended to provide advice on your specific circumstances.
If you require advice or further details on any matters referred to, please contact your Accenture representative.