www.dlapiper.com 0

INFORMATION SHARING AND EU CYBERSECURITY

Senator Saxby Chambliss, DLA PiperMatt Shabat, Department of Homeland SecurityGiulio Coraggio, DLA Piper

If you cannot hear us speaking, please make sure you have called into the teleconferencenumber on your invite information. � US participants: 1 800 908 9284 � Outside the US: 212 231 2909 � The audio portion is available via conference call. It is not broadcast through your computer.*This webinar is offered for informational purposes only, and the content should not be construed as legal advice on any matter.

www.dlapiper.com 1

Speakers

Senator Saxby ChamblissPartner, AtlantaDLA Pipersaxby.chambliss@dlapiper.com404.736.7790

Giulio CoraggioPartner, MilanDLA Pipergiulio.coraggio@dlapiper.com+39 02 80 618 619

Matt ShabatDirector of Performance ManagementOffice of Cybersecurity & CommunicationsDepartment of Homeland SecurityMatthew.Shabat@hq.dhs.gov703.235.5338

www.dlapiper.com 2

� Who are the attackers?

– Nation states

– Russia

– China

– Iran

– North Korea to a lesser extent

– Common criminals

– Experimental hackers

Evolution of cyber-risk

www.dlapiper.com 3

� Financial information

� Classified/proprietary

� Personal information

� Ransomware

� 2014 – 2 prominent attacks

What are attackers seeking?

www.dlapiper.com 4

� USG (NSA, DHS) is very sophisticated in the world of cyber

� Commonality, i.e., data breach laws

� Only Congress can grant protections

Does the federal government have a role?

www.dlapiper.com 5

� Comprehensive vs. info sharing

� Voluntary vs. mandatory

CISA is the first step

www.dlapiper.com 6

� Only if privacy rules adhered to

� Private to private; private to USG

Liability protection and antitrust exemption

www.dlapiper.com 7

� Very important to find commonality

� Particularly important to work with our friends

Must coordinate with other countries

www.dlapiper.com 8

� Data breach

� Encryption

Next USG domestic step

www.dlapiper.com 9

� DHS guidelines

� CISA implementation

Methods of sharing

June 2016

Homeland SecurityOffice of Cybersecurity & Communications

Cybersecurity Information Sharing Act of 2015

www.dlapiper.com 11

� Title 1: Cybersecurity Information Sharing Act of 2015

– Establishes procedures, privacy protections, liability and other legal protections

� Title 2: National Cybersecurity Advancement

– Enhances NCCIC’s intrusion detection and prevention capabilities

– Further defines NCCIC’s information sharing authorities

� Other titles cover

– Federal cybersecurity workforce assessment

– DHS mobile device study

– HHS healthcare sector task force with NIST and DHS

– Statewide Interoperability Coordinator reporting cybersecurity matters to NCCIC; NCCIC provides analysis and support

Cybersecurity Act of 2015

www.dlapiper.com 12

� Authorizes companies to share cyber threat indicators and defensive measures with each other and with DHS, with liability protection

� Identifies permitted uses of cyber threat indicators and defensive measures

� Authorizes companies to monitor their own information systems and to operate defensive measures on their systems

� Establishes privacy protections required of the sharing entity and receiving government agency

Cybersecurity Information Sharing Act of 2015

www.dlapiper.com 13

� Four implementation documents:– Guidelines for sharing information by the federal

government

– Guidance to companies and non-federal entities for sharing cyber threat indicators and defensive measures with the federal government

– Operational procedures for sharing cyber threat indicators and defensive measures with the federal government

– Privacy and civil liberties guidelines

� Secretary of Homeland Security March 17 certification that automated capability authorized by Act is operational

CISA deliverables

www.dlapiper.com 14

Guidelines for sharing information by the federal government

– Summary: Describes the current mechanisms through which the appropriate Federal entities share information with non‐Federal entities.

– Due Date: Final at 60 days (February 16, 2016)

CISA deliverables

www.dlapiper.com 15

Operational procedures for sharing cyber threat indicators and defensive measures with the federal government

– Summary: Establishes procedures relating to the receipt of certain cyber threat indicators and defensive measures by all Federal entities under CISA. Describes the processes for receiving, handling, and disseminating information that is shared pursuant to CISA, including through operation of the DHS Automated Indicator Sharing capability.

– Due Date: Interim at 60 days (February 16, 2016), Final at 180 days (June 15, 2016)

CISA deliverables

www.dlapiper.com 16

Guidance to companies and other non-federal entities for sharing cyber threat indicators and defensive measures with the federal government

– Summary: Provides information to assist non-federal entities who voluntarily elect to share cyber threat indicators with the federal government to do so in accordance with CISA. Assists non-federal entities to identify defensive measures and explain how to share them with federal entities as provided by CISA. Describes the protections non-federal entities receive under CISA.

– Due Date: Final at 60 days (February 16, 2016); updated June 15, 2016.

CISA deliverables

www.dlapiper.com 17

Cyber threat indicators and defensive measures

www.dlapiper.com 18

� CISA extends liability protection to private entities for sharing of a cyber threat indicator or defensive measure through the federal government’s capability and process operated by DHS

– As long as the sharing is conducted in accordance with the Act.

� For more information please see:

– Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 (available at www.us-cert.gov/ais) or

– Section 106 of CISA

Liability protection

www.dlapiper.com 19

� Law enforcement use

– SLTT government that receives a cyber threat indicator or defensive measure under CISAmay use it for specified purposes, such as a cybersecurity purpose, identifying a cybersecurity threat, identifying a security vulnerability, responding to or preventing/mitigating a specific threat of death, serious bodily harm serious threat to a minor or serious economic harm, or prosecuting offenses under 18 U.S.C. 1028-1030

� Exemption from disclosure

– A cyber threat indicator or defensive measure shared by or with an SLTT government, including a component of such government that is a private entity, under CISA is deemed voluntarily shared information and exempt from disclosure under state, tribal or local freedom of information, open government, open records, sunshine or similar laws

� Regulatory authority

– Cyber threat indicator or defensive measure cannot be used to regulate the lawful activity of a non-federal entity

– Exception: They may be used consistent with a regulatory authority specifically relating to the prevention of mitigation of cybersecurity threats to inform development or implementation of such regulation

SLTT-specific provisions

www.dlapiper.com 20

Privacy and civil liberties guidelines

– Summary: Establishes privacy and civil liberties guidelines for the receipt, retention, use, and dissemination of cyber threat indicators by a federal entity obtained in connection with the activities authorized by CISA, consistent with the need to protect information systems from cybersecurity threats, any other applicable provisions of law, and the Fair Information Practice Principles

– Due Date: Interim at 60 days (February 16, 2016); Final at 180 days (June 15, 2016) Requires review every 2 years

CISA deliverables

www.dlapiper.com 21

� CISA includes various privacy protections for the receipt, retention, use and dissemination of cyber threat indicators

� One main privacy protection requires federal and non-federal entities, prior to sharing to:

– Review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that such federal/non-federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information; or

– Implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the federal/non-federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual.

Privacy protections in CISA

www.dlapiper.com 22

� Under AIS, DHS will receive cyber threat indicators and defensive measures through that portal in a standard, automated format and apply unanimously agreed upon controls as described in the Section 105(a)(1)-(3) procedures

� DHS will use automated processing for mitigation of remaining personal information risks through schema restrictions, controlled vocabulary, regular expressions (i.e., pattern matching), known good values, and auto-generated text

� Any fields that do not meet certain predetermined criteria defined through the AIS Profile and in the submission guidance will be referred for human review to ensure the field does not contain personal information of specific individuals or information that identifies specific individuals not directly related to the cybersecurity threat

� When a field within a cyber threat indicator or defensive measure is referred for human review, DHS will still transmit the fields that do not require human review to the appropriate Federal entities without delay

DHS AIS privacy scrub

www.dlapiper.com 23

� Automated real-time capability: Automated Indicator Sharing (AIS)

– Uses the Structured Threat Information eXpression (STIX) standard (xml format with a series of machine-readable fields) and Trusted Automated eXchange of Indication Information (TAXII) protocol

� Web form and email options

– www.us-cert.gov/ais

� Privacy scrub

CISA capabilities

www.dlapiper.com 24

Automated Indicator Sharing

www.dlapiper.com 25

1. Sign and return the appropriate participation agreement

– Terms of use (non-federal entities)

– Multilateral Information Sharing Agreement (for federal agencies)

2. Next, have something that can talk TAXII

– You can use the DHS TAXII client, an open source implementation or purchase a commercial solution

3. Sign an Interconnection Security Agreement to document the connection and capture relevant security information

4. Finally, we exchange certificates and you give us the IP you’re coming from so it can get whitelisted

How to sign up for AIS

www.dlapiper.com 26

� For more information:

– www.DHS.gov/AIS

– www.us-cert.gov/AIS

� Additional questions?

– CSCExternalAffairs@HQ.DHS.gov

� Matt Shabat

Director of Performance Management

Office of Cybersecurity & Communications

Matthew.Shabat@hq.dhs.gov

703-235-5338

DHS Office of Cybersecurity & Communicationscontact information

www.dlapiper.com 27

What is the EU approach to cybersecurity?

Betterdefence

Contribution from private sector

Increased cyber security capabilities

Enhancingcooperation between

Member States

www.dlapiper.com 28

Upcoming adoption of Network and Information Security Directive

www.dlapiper.com 29

General Data Protection Regulation is a revolutionon privacy compliance…

Put May 25, 2018 on your calendar

www.dlapiper.com 30

It applies wherever you are located

both

www.dlapiper.com 31

Sets stringent security obligations

Data Protection

Officer

Security by

design

Adequatesecurity

measures

www.dlapiper.com 32

And in case of data breach…

www.dlapiper.com 33

The potential sanctions are massive

of the global turnover

New accountability principle…

www.dlapiper.com 34

Public-private partnership (cPPP)

Public Consultation

Technical Standards

www.dlapiper.com 35

Questions?

� Contact us to learn more

Senator Saxby ChamblissPartner, AtlantaDLA Pipersaxby.chambliss@dlapiper.com404.736.7790

Giulio CoraggioPartner, MilanDLA Pipergiulio.coraggio@dlapiper.com+39 02 80 618 619

Matt ShabatDirector of Performance ManagementOffice of Cybersecurity & CommunicationsDepartment of Homeland SecurityMatthew.Shabat@hq.dhs.gov703.235.5338