Am I Protected?: Sharing Cyber Threat Information Between the Government and Private Sector

00;00;00;20 - 00;00;26;25
Tom Haederle
Cyber threats and cyber attacks against private sector entities from hospitals to banks to credit card companies have been ramping up for more than a decade. And continue every single day. But when such attacks occur, private sector cooperation with federal law enforcement agencies is often cautious. Lawyers worry about legal liabilities or penalties for sharing too much information about the threats directed against their organizations.

00;00;26;28 - 00;01;08;25
Tom Haederle
Well, here are two experts on this topic with a simple message: Relax, the law has you covered. Welcome to Advancing Health, a podcast from the American Hospital Association. I'm Tom Haederle with AHA Communications. The Cybersecurity Information Sharing Act of 2015 was Congress's fix to the problem of too many confusing statutes that regulated the type and amount of cyberthreat information that could pass between the private sector and the federal government.

00;01;08;28 - 00;01;39;29
Tom Haederle
The act superseded earlier laws and was intended to enhance cooperation and investigation of cyber crimes. The problem is, eight years later, many people still don't know the law exists or what a valuable tool it can be. In today's podcast, John Riggi, AHA's national advisor for Cybersecurity and Risk, explores the Cybersecurity Information Sharing Act of 2015 with Leonard Bailey, head of the computer crime and intellectual Property Section's Cybersecurity Unit with the Department of Justice.

00;01;40;02 - 00;01;41;22
Tom Haederle
Over to you, John.

00;01;41;25 - 00;02;08;15
John Riggi
Thank you, Tom, and thanks to all our listeners for tuning in again today. We have a very special and very important episode today concerning the legal protections afforded for cyber threat information sharing between the federal government and private sector entities. So pleased and honored to have my good friend and colleague Leonard Bailey here with us today from the Department of Justice.

00;02;08;17 - 00;02;42;03
John Riggi
Leonard is the head of the cybersecurity unit and special counsel for national security in the Criminal Division's Computer Crime and Intellectual Property section. He has prosecuted computer crime cases and routinely advised on cybersecurity, searching and seizing electronic evidence in conducting electronic surveillance. Leonard has managed DOJ's cyber policy as senior counsel to the Assistant Attorney General for National Security Division and as an associate deputy attorney general.

00;02;42;06 - 00;03;11;27
John Riggi
He has also served as counsel and Special Investigative Counsel for DOJ's Inspector General. Leonard is a graduate of Yale University and Yale Law School. He was awarded the John C. Keeney Award in 2015. And I know Leonard as a friend from when I was at FBI in Cyber Division and also in counterterrorism. And, Leonard is was one of these career government servants who have actually been in government service for over 30 years.

00;03;12;04 - 00;03;45;05
John Riggi
And, Leonard, perhaps we can hopefully shed some light on the protections afforded by the Cyber Security Sharing Act of 2015 and how that encourages cyberthreat information sharing between the private sector and the federal government, which is critical not only for the victims of potential cyber attacks, but also to help protect the nation. And so, Leonard, perhaps we could start with a general explanation of the terms of the Cyber Security Information Sharing Act of 2015.

00;03;45;08 - 00;03;51;14
John Riggi
And just in general, if you could give us a brief overview of that very important piece of legislation.

00;03;51;17 - 00;04;28;08
Leonard Bailey
Of course, John, and thank you again very much for for inviting me to be on the show. So I think it might be helpful to provide a quick scene setter explaining what was happening at the time and when all of this legislation was being considered negotiated going back to the early 20 tens. And so in the early 20 tens, what you had in 2010, for example, you had the hack of Google, of Rackspace, of Adobe that McAfee had attributed to Chinese state actors or their proxies.

00;04;28;11 - 00;05;00;27
Leonard Bailey
You had in 2011 a threat coming from a whole different direction. LulzSec, who were breaking into large companies networks and taking documents and doxing the companies for essentially for cyber joyriding purposes. 2012 things tick up in severity, and you've got things like the Shamoon virus wiper virus that destroyed 35,000 computers that belonged to Saudi Aramco. In the States, you had a spate of directed denial of service attacks against the US banking companies.

00;05;00;29 - 00;05;30;04
Leonard Bailey
And then 2013 becomes the year of the mega breach. You had Target, followed within a year by JPMorgan, Anthem, Home Depot, all breaches that involved tens of millions of records. And so there was just a burgeoning appreciation for the scope, scale and severity of the cyber threat that prompted Congress to say we must do something. And so one of the things they decided to do was focus on information sharing.

00;05;30;06 - 00;05;56;24
Leonard Bailey
Now, there had been an earlier attempt to get cybersecurity legislation. There was an effort started in 2010 that resulted in a vote in 2012 on what was really an omnibus cybersecurity bill that was much larger, had a lot of moving parts to it and ultimately didn't pass. That was ultimately knocked down and resulted in what we have now, which is the Cybersecurity Information Sharing Act of 2015 or CISA 2015

00;05;56;26 - 00;06;21;18
Leonard Bailey
as we like to shorthand it. It says that 2015 was the product of discussions with industry and private sector actors who explained what it was they needed in in the world of information sharing that actually says it does more than information sharing and also authorizes monitoring of one's own network. It also authorizes the use of defensive measures applied to your own network.

00;06;21;25 - 00;06;49;10
Leonard Bailey
But we're focusing really on information sharing today and in the information sharing space there was a complaint that it was just too hard. It was too complex, that there was not one statute that you could go to that would authorize you to share information. Instead, what there were were multiple statutes with prohibitions and sharing had to happen within the exceptions of those those statutes.

00;06;49;10 - 00;07;34;19
Leonard Bailey
And what that means is you had lawyers in the way you know, I are like lawyers. I am a lawyer, but I know that having lawyers involved has some some consequence that things move more slowly. People are cautious and worry about what they do. So Congress really wanted to enact exactly that, kind of got the lawyers out of the way, that provided broad sharing authority, but still targeted at the type of information that that people need to conduct cybersecurity and sort of defensive type of activities, because Congress was also concerned about the privacy and civil liberties impact of of information sharing, certainly on the heels of a 2013 Edward Snowden disclosures.

00;07;34;21 - 00;08;21;00
John Riggi
Right. Thanks for that, Leonard. And it's interesting you talk about how the the rightful concern by generally lawyers, outside counsel, to protect organizations from civil and regulatory liability often does slow down that very important information sharing with the federal government, with Department of Homeland Security, in the FBI. And I'm always surprised that when I'm called in to an incident to help a hospital victim of ransomware and I interact with the general counsel, I'm very surprised how often I hear that outside counsel is unaware of the statute and the protections afforded and which because their general response, often with the victim is or general guidance, I should say, is slow down sharing.

00;08;21;06 - 00;08;38;25
John Riggi
Let's be very cautious what we share with the government. We're concerned about civil and regulatory liability. So, Leonard, what type of information sharing is actually covered under this statute, and what is considered cyber threat indicators in defensive measures for the purpose of this statute?

00;08;38;27 - 00;09;01;17
Leonard Bailey
Of course, John, you just put your your thumb on what is probably the biggest frustration I have working on information sharing. So, as you said, many companies and outside counsel and general counsel seem to be unaware of the existence of CISA 2015. And its curious about that one. It's because since 2015, it's also going to sunset in 2025.

00;09;01;20 - 00;09;39;04
Leonard Bailey
So there's going to be an effort to figure out what we can do to get reauthorized and how it may be needs to be amended. But there's there's no question about what Congress's intent was when they enacted this law. In fact, reading from the joint explanatory statement from Congress, when they enacted this in 2015, Congress noted, quote, "This legislation is designed to create a voluntary service and information sharing process that will encourage public and private sector entities to share cyberthreat information without legal barriers or the threat of unfounded litigation."

00;09;39;06 - 00;10;06;05
Leonard Bailey
And so that that's right from no Congress, in explaining what it was that they intended this to do. The way they did that was by, as they said, providing broad authority under section 15 03c that the law provides affirmative authority for any private entity to share cyber threat indicators. Now, there are a few things that I would quickly note about that.

00;10;06;05 - 00;10;35;08
Leonard Bailey
I mean, first, that authority is provided notwithstanding any other provision of law. And what that phrase means in lawyer speak, is Congress intended this law to wipe away any conflicting law. So if there's any law that prior to CISA 2015 had encumbered information sharing, this overrides that law. So it's very strong liability protection because, again, forming the suit under those laws, it doesn't apply.

00;10;35;10 - 00;11;22;04
Leonard Bailey
It, though, does have certain requirements that come with it. First, as you know, that you have to share a cyberthreat indicator. And the cyber indicator is a term defined by the statute. Six USC 1501 six defines the eight elements of eight things that could be a cyber threat indicator. And what Congress intended to do there was to define the type of information, the kind of technical information largely is used to protect things that you used to conduct malware analysis that you would need to do to create signatures, to configure firewalls, things that help you spot indicators of compromise, things that you would really need to do as really baseline good practices on on

00;11;22;04 - 00;11;57;27
Leonard Bailey
any network. And so if you have information that falls within this, you know, cyber threat indicator or defensive measure you're authorized to share, there is a requirement that you remove certain information before you share. And getting kind of done in the weeds, is this just under 1503 (d) 2 that the share must, prior to sharing, remove any personal information that identifies a specific person or belongs to a specific person that is not directly related to a cybersecurity threat.

00;11;57;29 - 00;12;25;16
Leonard Bailey
And if I could unpack that for a second, that all: One) means something that's different than PII. Personally identifiable information is information that's linked or linked. This intentionally is information that you must know at the time of sharing is personal information that belongs to a specific person or that identifies a specific person, which is narrower than than prior.

00;12;25;19 - 00;12;53;25
Leonard Bailey
But even then, that information may still be shared, even if it's personal information, if it's still directly related to a cyber security threat. So, for example, in the case of a ransomware attack, if there were an email address that identified a specific person, well, that was used in the attack and therefore it be directly related and and thus sharable, as long as you share under the statute a cyber threat indicator, you remove the personal information.

00;12;53;27 - 00;13;08;09
Leonard Bailey
And the last thing I should mention is it must be a shared for cybersecurity purpose, also defined by the statute being for the purpose of protecting information system or information from a cybersecurity threat.

00;13;08;11 - 00;13;32;23
John Riggi
Thanks for that, Leonard. Two thoughts I have. First of all, even I was unaware that the statute sunsets in 2025, so hopefully we can mount a vigorous campaign and I think the AHA would be very happy to support renewal of this of this statute because we only see positive for this as well. And of course, you mentioned PII, personally identifiable information for hospitals.

00;13;32;23 - 00;13;59;15
John Riggi
Of course, we have lots of protected health information with them throughout our network. So we're very conscious of that, as well as not sharing PHI as well unintentionally with the government. We would never share intentionally. So all good points. Now, the liability protections, the crux of the issue, right? In terms of making broader use of this statute and where, quite frankly, a lot of the confusion lies.

00;13;59;18 - 00;14;07;22
John Riggi
Leonard, what are the types of liability protection in which were afforded private entities who share threat information with the government?

00;14;07;24 - 00;14;57;27
Leonard Bailey
So, John, there are, I'd say two different liability protections that CISA 2015 affords private entities in share. The first is very, very broad authority. As I mentioned earlier, to share, notwithstanding any other provision of the law. And that's that's really quite critical because if there is a claim against a company alleging that they share it, contrary to some law, CISA 2015 overrides that as long as you share in accordance with the statute for a cybersecurity purpose and you remove the personal information, as we discussed. One thing that's caused some confusion is that there is a a separate provision in Section 1505 that provides a bump, an additional type of which, if you

00;14;57;27 - 00;15;31;03
Leonard Bailey
conduct sharing through DHS, through DHS's capability and processes, under section 1505, you get prompt dismissal of any lawsuit brought against you for the sharing. So in addition to the notwithstanding protection, this prompt dismissal may lead to something like, let's say, dismissal prior to discovery in in a lawsuit. And so that would be a some advantage. But undergirding all of that is this broad authority under the notwithstanding clause.

00;15;31;06 - 00;16;03;14
John Riggi
Clearly the issues of discovery is what causes a lot of concern with general counsel and outside counsel during a breach. And they are concerned that the communications with the government would be discoverable under some, unfortunately, all too common civil action, which immediately follows these ransomware attacks. A little bit of commentary from my personal perspective, I honestly view these suits often when there were they appear to be without merit, is almost revictimizing the victim.

00;16;03;16 - 00;16;21;01
John Riggi
But again, that's my personal commentary on that. But let's get back to the statute here. So I know you and I have had lots of discussions about other legal protections afforded under the statute. Could you could you describe to us a little bit about those other legal protections provided under CISA 2015?

00;16;21;04 - 00;17;09;05
Leonard Bailey
Of course. And your comments are really apropos of this question, generally of information about provide, which is that there are these other legal protections in addition to the liability protection we discussed that are available any time you share under CISA. That is whether you're doing it with any federal agency, the FBI, the Secret Service or FDA, or if you're sharing it specifically with DHS and these legal protections include things like protection from waiver of privilege, as you just mentioned, so that you can share a cyber indicator or defensive measure with with another private party or with the government and not risk waiving the attorney client privilege or work product privilege.

00;17;09;07 - 00;17;43;21
Leonard Bailey
There's also protection from antitrust liability. There is protection from from disclosure laws, which would mean that the information that was released would not be would not be FOIA-able. And there's also legal protection for regulatory use of the shared information. That is the cyber indicators, which defensive measures can't be used in a regulatory action against the sharer. So anyone who shares under CISA 2015 with any federal entity or private entity is afforded those legal protections.

00;17;43;24 - 00;18;15;00
John Riggi
This is a really powerful and benefit statute, truly in the public interest, in the government interest, providing all of these protections. You know, we often speak whether of government or private sector cybersecurity professionals talk about how we need to engage in a whole of nation approach to help defend the nation against cyber threats. In this statute, which unfortunately is not as widely known as I think we'd all like, provides all the measures and protections to help facilitate that.

00;18;15;02 - 00;18;32;23
John Riggi
And again, I think it leads to my next question here. Does it also cover protection among private entities, sharing among private entities? So we want to share with threat information sharing groups such as the Health ISAC with AHA, so forth.

00;18;32;26 - 00;18;58;06
Leonard Bailey
John, absolutely. And that's another, as you pointed out, kind of misunderstanding about the statute. It covers sharing from private entity to another private entity or from a private entity to the government. So yes, sharing between, let's say, a hospital and the H-ISAC would be covered, sharing among ISAC would be covered, sharing from a hospital to the government would be covered.

00;18;58;08 - 00;19;21;26
Leonard Bailey
The only thing that's not covered is the government sharing. Because Congress avoided providing the government with any additional authorities because of the concerns following the Edward Snowden disclosures. But it afforded private entities absolute authority under the statute. And so it protects any sharing that's done by the private entities.

00;19;21;29 - 00;19;44;21
John Riggi
So this is such an empowering statute. I mean, it really provides for us, I think, now on the private sector side, really does provide all of the coverages that we would want and we would certainly seek through our counsels. And how does the information sharing protections vary when sharing with DHS -CISA - versus other government agencies?

00;19;44;21 - 00;20;00;13
John Riggi
I get this quite a bit, "John, If we just share with the FBI, are we covered?" Of course we want sharing notification to CISA and the FBI jointly. So if you can answer that. And then what about if information is just shared directly with the ISAC?

00;20;00;16 - 00;20;29;03
Leonard Bailey
Of course. So as I mentioned earlier, this is really I'm glad you brought this up again, because it is the source of a lot of confusion because of the structure of the statute. So sharing it with anyone, if I'm a private entity, receives some measure of protection, if it's shared consistent with CISA 2015. If I share with the FBI that sharing is protected, notwithstanding any other provision of law, and I don't need to share it with DHS, even though I should.

00;20;29;05 - 00;21;07;01
Leonard Bailey
But even sharing directly with the FBI solely was protected from private NDA shared solely with H-ISAC. I get that same notwithstanding protections. If I share it with DHS through that up capability or process under section 1505, that's where you get that additional bump of prompt dismissal of of a lawsuit. But absent that, all the other sharing that's covered by CISA is covered, receives liability protections under the notwithstanding clause and the legal protections we just discussed.

00;21;07;04 - 00;21;28;06
John Riggi
I think I have it we may have to put together a wiring diagram or a chart or flow chart at some point might help explain this to to the listeners. But the bottom line is there is tremendous amount of liability and legal protections afforded under the statute for information sharing between private sector in the government and across private sector.

00;21;28;08 - 00;21;57;08
John Riggi
One of the questions I often get when I respond to these attacks, again to provide strategic guidance are the questions surrounding the information related to the impact of an attack. We have seen over and over again that high impact ransomware attacks against hospitals result in the delay and disruption of patient care, diversion of ambulances, delay of cancer treatment, ultimately risking patient safety.

00;21;57;11 - 00;22;22;14
John Riggi
There is often hesitancy by the victims, and I want to stress victims of crime to share the information related to the impact of the attack because they feel there will be extended potential civil liability, whether the suits have merit. Again, I hear this phrase, they feel like they're being revictimized through these often meritless civil actions which which follow.

00;22;22;16 - 00;22;27;26
John Riggi
So what are your thoughts on that, Leonard, about sharing the information related to the impact of an attack?

00;22;27;28 - 00;22;55;05
Leonard Bailey
Yes, so that's a great question. One of the challenges of the statute itself is that there's not a tremendous amount of legislative history and not a lot of case law that's interpreted since. I will say that the type of information that it allows one to share is technical information. But it also in some ways to broadly capture information that relates to a cybersecurity threat.

00;22;55;07 - 00;23;32;06
Leonard Bailey
So the definition of a cyber indicator includes any information that is necessary to describe or identify seven elements, seven different things that might be a cybersecurity threat under the definition plus one catchall provision that reads: any other attribute of a cybersecurity threat if disclosure of such attribute is not otherwise prohibited by law. And I think one question that could come up and we are not a regulator of the statute, we don't have any sort of deference given to us in our interpretation of the statute.

00;23;32;06 - 00;24;02;16
Leonard Bailey
And ultimately a court would decide. But one question might be whether that sort of impact is something that would be an attribute of the threat that's not otherwise prohibited by law. And so I think it would take general counsel, outside counsel, really looking at this definition and seeing if they would be able to insert it into one of these different elements of or the cybersecurity indicator indicator is.

00;24;02;19 - 00;24;06;08
Leonard Bailey
But I think there might be some avenues that should be explored.

00;24;06;10 - 00;24;38;03
John Riggi
That's a very good point. Leonard. We often are asked by the government to share what the impact of an attack is because the government has a valid interest, a valid public interest in assessing the potential threat to public health and safety caused by a particular ransomware attack. Because there's very strong concern and somewhat legitimate concern, I would say, since there's no case law about how that information might end up being discoverable in some following civil action.

00;24;38;03 - 00;25;09;13
John Riggi
So we have this paradox. The victim wants to share information with the government in terms of the impact. The government should have that information to assess what the general threat to public health and safety is. But there is this gray legal area. So your comments about a potential avenue to explore granted undecided by a court as of now, but certainly an area that could afford some interpretation that would allow that sharing with some of these protections.

00;25;09;16 - 00;25;33;21
John Riggi
Leonard, knowing there is minimal or no case law or challenges to the statute, but as I just said, what knowing how incredibly important it is for the victim organizations to quickly share cyber threat information, not only for their own benefit, but quite frankly, for the defense of the nation. What is your summary guidance to the nation's hospitals and private sector as the premier expert on this statute?

00;25;33;24 - 00;26;09;14
Leonard Bailey
So I would say, and I think my colleagues at CISA worked on this and jointly provide guidance on on the statute would both say that this is a vastly underused tool. As you pointed out, this is a an area of great concern for industry and for the government. The nature of cybersecurity threats, the amount of harm, the impact of such events, the ransomware attacks we've seen that have targeted hospitals and the impact that that's had on the operation of hospitals and possibly the health of people.

00;26;09;17 - 00;26;39;08
Leonard Bailey
The thing I would strongly encourage is for people, lawyers and organizations to avail themselves of these tools. This is a tool that was created specifically to encourage sharing that will allow us to be better prepared for these sorts of events that will allow us to defend against these events in a more competent way. And so I guess I would just exhort people to to try to use this tool that we've got.

00;26;39;10 - 00;27;10;08
John Riggi
Totally agreed, Leonard. And we at the American Hospital Association will do everything in our power to continue to educate and promote the use of this statute and quite frankly, make folks where the existence of this statute, again, because there is mutual interest within health care, within all of private sector and within the government to understand the nature of cyberthreats, the impact it poses to our economy, to people, to public health and safety and for national security.

00;27;10;08 - 00;27;38;23
John Riggi
So, Leonard, thank you so much for being here. And thanks to all the men and women at the Department of Justice for everything you do every day to pursue and prosecute cyber adversaries and all those who threaten the security of the United States and thanks to all our listeners and especially our frontline health care heroes for everything you do to care for patients and serve our communities, This has been John Riggi, your national advisor for Cybersecurity and Risk.

00;27;38;25 - 00;27;39;29
John Riggi
Stay safe everyone.