DOD Publishes Cybersecurity Information Sharing Rule

Yesterday the Department of Defense (DOD) published an interim final rule (IFR) in the Federal Register (FR 77 27615-27621) that establishes a voluntary cybersecurity information sharing program between DOD and qualified Defense Industrial Base (DIB) entities. It is specifically designed to protect unclassified DOD information residing on or transiting through unclassified DIB information systems.

While DIB entities are almost by definition critical infrastructure there are a number of differences between DIB and the run-of-the-mill privately owned critical infrastructure facility that would make it difficult to directly translate this program into a broader DHS/CI cybersecurity information sharing program. This program still bears studying as a potential model for broader cybersecurity information sharing programs.

Information to Share

This program is based upon the realization that both sides have unique sorts of cybersecurity information that will have value for the other side if the information were to be shared. Because of its extensive intelligence collection and analysis capabilities DOD is likely to have information about cybersecurity threats (capabilities, techniques, intentions and other actual attacks) that could be used by DIB entities to protect their cybersecurity systems. DIB entities would have details about intrusions and attempted intrusions on their systems (attack vectors, methodologies, information targeted and information compromised) that DOD could use to assess the extent that DOD unclassified information has been compromised and to extend the analysis of cybersecurity threats to DOD/DIB systems.

The crafters of this IFR also realized that there are some natural and logical imperatives that would tend to restrict the sharing of this information. DOD is concerned that sharing their threat information could lead to the compromise of intelligence methods and means which could affect much wider intelligence collection efforts. DIB entities would be concerned about the public release of information on actual system attacks could adversely affect shareholder confidence, compromise proprietary business information or personally identifiable information (PII). There is also a potential DIB concern that such information sharing could lead to regulatory action being taken against the information provider if the breach process (or the information compromised) demonstrated even minor or inadvertent violations of any of a multitude of Federal, State or local rules or regulations.

These advantages and disadvantages to information sharing are not necessarily unique to the DOD-DIB relationships. Any formal information sharing arrangement between DHS and critical infrastructure entities would have the same sorts of issues.

Framework Agreement

Lacking a legal framework to require DIB entities to participate in an information sharing program, DOD realized that they would have to establish a quid pro quo with individual DIB entities. The IFR formalizes these arrangements in Framework Agreements (FA); a formal written agreement between each DIB entity and the DOD.

The IFR describes this as an agreement to “share, in a timely and secure manner, on a recurring basis, and to the greatest extent possible, cyber security [sic] information relating to information assurance for covered defense information on covered DIB systems” {32 CFR §236.4(a)}. The IFR requires that the FA will implement the requirements of §236 and “will include additional terms and conditions as necessary to effectively implement the voluntary information sharing activities described in this part with individual DIB participants” {§236.4(b)}.

Information Sharing

Section 236.5 outlines the types of information that will be shared. It starts out by requiring the government to share GFI (Government furnished information) with DIB participants. Unfortunately there is no definition of the types and extent of the GFI that will be shared. This was almost certainly done to both, protect the intelligence community from requirements to share too much information, and to provide DOD with the widest possible latitude to share information. What will actually be shared in practice remains to be seen.

The requirements for the information to be shared by DIB are more clearly spelled out, but will be more closely defined in the FA. The information includes:

• Initial incident reporting {236.5(b)};

• Follow-up reporting {236.5(c)}; and

• Cyber intrusion damage assessment {236.5(d)}.

Information Holding

The simple promise of the exchange of information is not an adequate reason for industry to supply cybersecurity information with the government when that information could harm the company if it is re-shared with other entities; DIB entities would require assurances that they would be protected from potential information exposure. This regulation does provide some of those assurances.

Section 236.5(e) provides that DOD shall “take reasonable steps to protect against the unauthorized use or release of such information (e.g., attribution information and other nonpublic information)”. While DIB might find ‘reasonable steps’ to be less than sufficient, the section goes on to explain that the “Government will restrict its internal use and disclosure of attribution information to only Government personnel and Government support contractors that are bound by appropriate confidentiality obligations and restrictions relating to the handling of this sensitive information and are engaged in lawfully authorized activities”.

Section 236.5(g) explains that electronic media and files provided to DOD by DIB will be handled by the DOD Cyber Crime Center (DC3), an accredited digital and multimedia forensics laboratory. “DC3 will maintain, control, and dispose of all electronic media/files provided by DIB participants to DC3 in accordance with established DoD policies and procedures.”

Finally §236.5(h) provides that ‘the Government’ will assert “applicable FOIA exemptions” when DIB provided information is requested under the Freedom of Information Act. This is not the blanket protection against FOIA disclosure provided by CISPA (HR 3523), but there is no legislative provision that would allow DOD to offer that blanket protection.

Qualified Participants

 Since the information sharing program may include classified GFA there are prerequisites that participating DIB must meet before they complete their FA and become part of the program. These security clearance related requirements include:

• “Have or acquire DoD-approved medium assurance certificates to enable encrypted unclassified information sharing between the Government and DIB participants;” {§236.7(a)}

• “Have an existing active Facility Security Clearance (FCL) granted under the National Industrial Security Program Operating Manual (NISPOM) (DoD 5220.22-M) with approved safeguarding for at least Secret information” {§236.7(b)};

• “Have or acquire a Communication Security (COMSEC) account” {§236.7(c)}; and

• “Obtain access to DoD's secure voice and data transmission systems” {§236.7(d)}.

Application to other Critical Infrastructure Entities

These security clearance related requirements may be relatively easy for many members of the DIB community to fulfill; many routinely handle classified material in their business with the DOD. Similar requirements will be necessary for any critical infrastructure entity that hopes to gain access to classified intelligence information as part of a cybersecurity information sharing program. Most CI entities will forgo those requirements; they are too expensive and the possibility of obtaining actionable classified cybersecurity threat information is just too slight.