CISA in Context: The Voluntary Sharing Model and that "Other" Portal

This installment, let’s examine the following questions:

• The government gives up an awful lot in CISA in terms of reassurances to the private sector. Why?
• What’s the deal with the “other” portal?
• Why exactly is the FBI so worried?

As I argued in my last post, understanding DHS’s Automated Indicator Sharing (AIS) Portal is critical to answering all three questions. The AIS threat indicators are tightly constrained, both to exclude personal information unrelated to the threat and to ensure that only specific types of actionable indicators are shared. A great many threat indicators might be relevant to understanding and countering cybersecurity threats and still simply not appropriate to AIS. The goal here is broader, faster, coordinated sharing of basic information to empower private companies to better understand and responsibly respond to threats on their systems and to raise the level of government and industry awareness.

Still, CISA will be a failure if it does not result in additional information sharing, or even worse, if it actually causes less sharing. The final bill attempts to avoid these outcomes through a number of compromises. And the AIS system matters to recognizing why and how these compromises take shape.

The Voluntary Sharing Model

First, CISA makes explicit that it is a voluntary information sharing bill. CISA cannot be read to prohibit, limit, modify, or require any information sharing relationship. Furthermore, the anti-tasking provisions prohibit the federal government from conditioning the receipt of cyber threat indicators on sharing. Free-riders are welcome; companies may participate in the portal and derive the benefits, without sharing anything themselves. This means companies will only elect to support the system if the risks of sharing are low.

CISA is intended to eliminate real and perceived impediments to sharing; in other words, all the reasons private companies might not share. Consequently, private industry has won a great many number of assurances in CISA. Liability protection operates as the strongest incentive to share by removing the clearest legal risks. But beyond baseline liability protection, CISA also cannot be construed by courts to create a common law duty to share information nor any duty to warn or act based on the information received. The Joint Explanatory Statement, however, notes that “Title I also does not limit any common law or statutory defenses.” Furthermore, companies preserve all trade secret protection and privileges, they are permitted to designate information as proprietary, and the information is deemed voluntarily disclosed and exempt from FOIA. That’s a long list, and it still doesn’t fully capture the scope of protections. But the bottom line is that, under a voluntary regime, absent these protections, private entities might not share at all and, in some cases, may even elect not to receive information.

The alternative to voluntary sharing – absent bad-idea legislation mandating disclosure – is wielding strong regulatory authority. While that does have proponents, the option is problematic politically and excludes the many non-regulated entities. Congress firmly elected to adopt a voluntary sharing model. CISA’s treatment of regulatory authority is an interesting illustration of where the government draws the line on what it is willing to give up to entice sharing.

Under the Act, all communications between regulated entities and regulators are permitted and CISA does not alter the scope of what an industry is required to report to their regulators. Furthermore, sharing information through the portal does not alleviate the obligation to share directly to a regulator. This leaves, however, the problem of cybersecurity information which is not required to be shared with a regulatory authority that a company might otherwise elect to share under the portal.

As a general matter, companies do not tend to voluntarily share information that might subject them to additional scrutiny or regulation. But overbroad protections risk permitting an industry to immunize itself against certain types of regulation by sharing through the portal; a perverse outcome for a bill intended to strengthen cybersecurity. CISA strikes a balance which reflects the type of threat indicators the government anticipates being shared through AIS.

Information provided under the Act cannot serve as the basis for a specific regulatory enforcement action unless it involves unlawful activity. This means if a company shares, for example, the technical specifications of a defensive measure, that information cannot be used as the basis of an action compelling the entity to use or refrain from using such measures in the future. Furthermore, any information an entity is otherwise required to report to their regulatory authority can still serve as the basis of an enforcement action, even if it is also shared through the portal. Examining the prescribed STIX TAXII fields, it would seem an unlikely channel for a company to share novel information – currently exempt from disclosure – that merited a specific regulatory response. The government is willing to run that risk.

However, federal and state regulatory authorities are permitted to use information shared pursuant to CISA to inform the development of general regulations on cybersecurity. If financial sector regulators see worrisome numbers of a particular cyber attack, they may require that banks adopt security standards related to countering that threat. Therefore, the government preserves its regulatory authority in the aggregate – using combined information to set collective industry standards – because that is where it sees the value of AIS information.

The FBI and the “Other” Portal

The balance inherent in the voluntary sharing model paired with the limitations on AIS information leads to the inclusion of a somewhat odd provision: the other portal. The final version of CISA allows the President to designate another federal agency – excluding DOD and the NSA – to set up an additional portal. The President must certify to Congress that the designation is necessary to ensure full, effective, and secure information sharing and that the alternate agency will comply with all procedures and act according to its own mission.

The alternative portal alleviates the objections of two groups.

First, let’s air a bit of widely-known governmental dirty laundry. There are members of the executive branch and Congress who oppose a DHS-lead information sharing portal. For complex reasons involving cultural values, agency evolution, historical performance, and mission sets, there are factions across the government that simply do not trust DHS to get the job done. As I discussed in my previous post, despite the unanimous consent provision, DHS holds a trump card over other federal agencies in that it can elect to not ingest particular information to the portal by setting STIX TAXII fields. In the unlikely event DHS and the rest of the designated federal entities simply cannot agree, CISA permits the President to set up an alternative path and presumably allow private entities to choose where to share. The provision offers skeptics of DHS – both those who accuse it of plain incompetence and those who fear the agency is “all privacy, no mission” – a presidentially-controlled escape value. If, for whatever reason, DHS is unable to fully, effectively, and securely operate the portal, the President can give the job to someone else.

Second, there are those who fear that awarding liability protection exclusively to sharing through DHS might result in the FBI not getting information critical to the investigation of computer crimes. The merits of the argument are contested but the overall intention of CISA is certainly not to result in the FBI getting less cyber threat information. Hence, the fix.

To understand the concern, it is important to note that information sharing occurred before CISA; after all DHS was running the portal before the bill was even finalized. Thus, CISA would seem to be “authorizing” a great deal of sharing that was never prohibited. While CISA does affirmatively authorize some new sharing, the liability protection is largely intended to force sharing through a particular channel. There are a number of advantages to a single channel; more complete data sets, better sharing, more robust privacy controls. If liability protection is extended to multiple channels, the forcing function is diluted. But a single channel means that some information that is currently shared through a non-DHS portal – for example directly to law enforcement – will not be directly shared in the future.

If this only results in AIS information going through DHS, while other information continues to be shared with the law enforcement, then all is well. And DHS has long insisted this would be the outcome. But the portal is designed to facilitate basic information sharing, not as an investigative tool. AIS is not configured to receive the full scope of cyber threat information that might be necessary to the investigation of a crime. And while CISA expressly permits sharing with law enforcement – consistent with all applicable laws – for the purposes of opening an investigation, the worry here is that companies that are the victims of hacks will share those threat indicators accepted by AIS, but not undertake additional efforts to lawfully share threat information with an FBI field office in order to actually investigate the crime. The lure of the liability protection may cut against other information sharing, by setting up a contrast of “protected sharing” and “not protected” sharing, even though all the sharing in question is lawful.

The fight over the single portal is illustrated starkly by this floor exchange between Senator Tom Cotton – who offered an amendment to extend liability protection to sharing with the FBI and Secret Service – and SSCI chairman Richard Burr in the 11^th hour before CISA passed the Senate. Cotton argued that the

Act would require entities to submit these cyber threat indicators through a portal created and run by the Department of Homeland Security in order to receive liability protection … We ought to give these companies an alternative to the DHS portal. One simple reason is that nobody knows what the portal will look like, how it will function, or how much it will cost companies to interact with it … [T]here is no entity in the Federal Government that the private sector trusts more on cyber security than the FBI. That is why Sony Pictures called the FBI when it was hacked by North Koreans last year.

Burr was remarkably blunt in response:

This is a deal killer … One of the thresholds we had to reach was the balance of that one portal that information goes through. This creates a new portal. The White House is not in favor of it. Downtown’s not in favor of it cause they understand what it does. We are this close right now to a voluntary information sharing bill … if you want to stop it dead in its tracks, support this amendment.

Cotton’s amendment failed, but the final legislation emerged from conference with the new possibility of an alternative portal. If the substantially negative consequences the FBI fears actually materialize, such that the single portal prevents a “full, effective, and secure” process to share cyber threat information with the federal government then there is a path to construct an alternative portal.

Such a portal would, of course, be subject to all statutory limitations and obligations, including codified privacy protections. But the devil is in the details here; specifically, the details coded into the sharing portal itself. CISA does not obligate that the technical specifications for a future portal be as protective as AIS. This means that it is not just the federal government and private companies who have a stake in DHS getting it right, but privacy advocates as well. The balance of CISA is indeed delicate.

[Editor's Note: I've updated this post to correct a factual inaccuracy regarding the scope of existing common law duties.]