A practical understanding of the Cybersecurity Act of 2015, with information security and privacy implications for Contractors.
As part of the $1.1 trillion omnibus spending bill (H.R. 2029) that President Obama signed into law on December 18, 2015, The Cybersecurity Act of 2015 (Division N), seeks to broaden relationship between private enterprise and the Federal government, in the fight against cyber threats. While the new law clearly defines requirements for the Federal government to take action to improve cybersecurity defenses and information sharing, the participation of MOST private enterprise will be voluntary. Of course, the law also expands authority of Homeland Security to take decisive action to protect the security interests of the Nation, addressing both external and insider threats, both foreign and domestic.
Regardless of whether you champion the legislation or fear the government’s motives, the law has passed. So, let’s look at what is included, and how it may affect commercial organizations, and more specifically, Federal contractors.
At its core, the Cybersecurity Act of 2015 is divided into 4 sections:
- Cybersecurity Information Sharing;
- National Cybersecurity Advancement;
- Federal Cybersecurity Workforce Assessment; – and –
- Other Cyber Matters.
The purpose of this title is to promote the sharing of “Cyber Threat Indicators” between federal agencies and non-federal agencies, in order to shorten the time between initial cyber threat detection and response for all parties. The new term “Cyber Threat Indicators” replaces “Cyber risk” found in older legislation. A Cyber Threat Indicator means any of the following:
- Malicious reconnaissance, including “anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;”
- “A method for defeating a security control or exploitation of a security vulnerability;”
- “A security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;”
- “A method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;”
- “Malicious cyber command and control;”
- “The actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular security threat;” or
- “Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law.”
Key requirements of this act include:
- The Department of Homeland Security (DHS) will establish and operate a central, publicly available repository to facilitate the reporting and dissemination of information about real or potential cyber threats and associated “Defensive Measures”. As of this writing, the new portal does not yet exist. However, in accordance with the Act, DHS should launch its first iteration within 6 months of the law enactment date (12/18/15).
- Once the cyber threat information is received through this capability, it must be communicated throughout the Federal government, in a formal manner to facilitate a rapid and efficient, coordinated response.
- Section 104 may provide the greatest source of angst for organizations. This section, titled, “Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats,” grants authority to network operators to monitor, and take defensive action, on networks and systems, “for cybersecurity purposes.” The section further allows a private entity to monitor an information system of another entity (private or Federal), provided written consent has been obtained by an authorized representative of the system being monitored.
- “Cybersecurity Purpose” means “the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability”
Information Sharing Guidelines and Key Points
- Organizations must de-identify all data prior to submission, unless the information is relevant to the cyber threat. In most cases, the inclusion of PII/ePHI will have no bearing on the threat, and therefore, it should be removed.
- The information your organization may share with Homeland Security through this mechanism may only be used for Cybersecurity purposes, and nothing else.
- Sharing cybersecurity information will not violate antitrust laws or waive any applicable privilege or protection provided by law, including your organization’s trade secrets, as long as you report the information through the Homeland Security’s mechanism. This is an important point. Your organization should not report these potential threats through the agencies it supports. You report Cyber Threat Indicators to Homeland Security, and they will distribute the information to other agencies.
- For private enterprise, including Federal contractors, participation is voluntary; it is not a duty. The law specifically forbids the Federal government from penalizing a private entity for lack of participation. Section 108 (h) even includes an “Anti-Tasking Restriction,” prohibiting a conditional award of a Federal grant, contract or purchase on the provision of cyber threat information.
- Under this law, Telecom providers who operate circuits that connect your facilities with each other, and to the outside world, may monitor your traffic “for cybersecurity purposes.” They may share this information with the Federal government, provided they don’t violate your user agreement(s). Counsel and Information Security Professionals should be aware of their organizations’ rights within those user agreements, and should carefully review any proposed changes to user agreements put forward in 2016.
This is actually two separate Acts, the “National Cybersecurity Protection Advancement Act of 2015”, which is an extension of the “Homeland Security Act of 2002”, and the “Federal Cybersecurity Enhancement Act of 2015”.
National Cybersecurity Protection Advancement Act of 2015
This Title concerns the development of a centralized “National Cybersecurity and Communications Integration Center”, which will ensure all Federal entities receive Cyber Threat Indicator information without delay to facilitate efficient and effective response.
- Through the use of automated mechanisms, the Department of Homeland Security must disseminate this information to the public.
- Finally, DHS will develop and maintained risk-based plans for the greater protection of critical infrastructure, including key transportation ports; reporting findings and recommendations to Congress, who will provide oversight of ongoing activities.
- This oversight will likely mean further legislation down the road.
Federal Cybersecurity Enhancement Act of 2015
Since the former Act concerns that collection of cyber threat information, the “Enhancement Act” focuses on actions based on analysis of information collected to further improve the security posture of Federal information systems. DHS will deter cyber criminals through the deployment of a government-wide Intrusion Detection and Prevention strategy and system, based on practices.
- NIST may enhance information security standards for Intrusion Detection and Prevention, which must be enforced by each agency, to include their contractors.
- The Secretary of Homeland Security may issue emergency Directives to the agencies, under certain defined circumstances to deal with significant cyber threats. Once again, these Directives will affect contractors as well.
- Accountability – The Secretary will issue an annual report to Congress that describes any special Directives, and the degree of compliance with standards and Directives for all stakeholder agencies and organizations (read: contractors).
Like the rest of the information security world, the Federal government is concerned with its talent pool. This title calls for the Office of Personnel Management to conduct an ongoing assessment of the Federal cybersecurity workforce, including critical roles and skill sets. Each agency will be assessed to determine its current and ongoing fulfillment of those needs. This information will be reported annually to a wide range of Congressional committees, who will hopefully secure funding to ensure those roles will get filled.
This final section includes a variety of additional cybersecurity initiatives, specifically focused on governmental information systems, including:
- Study on Mobile Device Security – This assessment will examine current strategies for mobile device security management, recommend changes to minimize threat risk, and develop a plan for implementation by Homeland Security.
- Department of State International Cyberspace Policy Strategy – The Department of State is authorized to promote multilateral cooperation and interoperability with other countries to tighten cybersecurity. The Department of State will investigate the activities of prominent nations and state-sponsored actors, with the goal of developing policy to mitigate the risks associated with unfriendly cyber behavior.
- Apprehension and Prosecution of International Cyber Criminals – The Secretary of State shall work with officials from other countries to identify cyber criminals, determine their current locations and potential for extradition, and, if necessary, identify alternate methods to apprehend and prosecute those criminals.
- Enhancement of Emergency Services – The Secretary of Homeland Security will establish a process to collect and report on threats to networks and systems used by Emergency Response Providers. The report will include recommendations for actions to reduce these cyber risks and increase resilience.
- Improving Cybersecurity in the Health Care Industry – The Secretary of Health and Human Services (HHS) will report to Congress on its current preparedness to respond to cybersecurity threats. Recognizing that these threats permeate the industry’s private sector, HHS will coordinate a Health Care Industry Cybersecurity Task Force with industry stakeholders to examine best practices of other industries and make recommendations to align security approaches and safeguards. Of particular concern is the security of health care software and medical devices. Industry participation is strictly voluntary.
- The Food and Drug Administration has already proposed draft guidelines for medical device makers to share cyber threat information via information sharing and analysis organizations, including the Department of Homeland Security’s CERT.
Federal Contractor Impact
These initiatives inevitably will impact Federal contractors, as agencies must report on all entities conducting business on their behalf. As the law reaches implementation status, Information Security Managers should expect:
- Special information requests, particularly in the health care and defense industries;
- Evidence to substantiate logical access and multi-factor authentication controls; and
- Further recommended guidance and NIST standards updates around the security protection of mobile devices.