Originally published by the Journal of Commerce in January 2016
In the lead-up to President Obama signing into law on December 18, 2015 the Cybersecurity Act of 2015, Public Law. 114-113, there was hope that finally there would be a vehicle through which the federal government would be able to share broad ranges of supply chain security information with C-TPAT members. Alas, that did not turn out to be the case. Yes, the new cyber law does allow private entities to share cybersecurity risk information with the federal government, but the context is limited and there is still no truly meaningful way for the government to share the broader supply chain security information it has with the private sector.
The new law is part of the omnibus funding bill the 114th Congress enacted. The cyber provisions start at Division N. The law contains a number of definitions, including cybersecurity purpose, cybersecurity threat, cyber threat indicator, and so on. Clearly, and, not surprisingly, the law is focused, as noted, on creating a means whereby the private sector is permitted to share cyber threat data with the U.S. government without fear of being sued, even if that information contains what would otherwise be personal information. The law goes on to state that, to the extent possible, information identifying specific individuals should be stripped out before being given to the government or being given by the government to the private sector, and those advocating privacy rights question whether the bill goes far enough.
Prior to the new law coming into effect, the general rule was if your system was hacked, you could not hack back. The new law does allow for the limited use of defensive measures but it hardly addresses the real need. Defensive measures are defined as an “action, device, procedure, signature, technique or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.” However, it does not include “a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information stored on, processed by, or transiting such information system not owed by” the company being hacked or an entity it authorizes in writing to act on its behalf, including any federal government entity. So, it’s not clear there is much added that really aids companies suffering intrusions to hack back.
The framework for information sharing by the federal government is it must be consistent with protection of classified information, intelligence sources and methods, and privacy and civil liberties. Within that context, the Director of National Intelligence, the Secretaries of DHS and Defense and the Attorney General are to develop procedures which allow the sharing of cyber threat information within the government and includes classified cyber threat indicators and defensive measures.
Information sharing is also to extend to non-federal entities which would include private entities, non-federal government agencies or departments and state, tribal and local governments. As to this type of information sharing, it is supposed to extend to cybersecurity threats to prevent or mitigate adverse effects. The form of sharing is to be periodic, through publication and targeted outreach, of cybersecurity best practices developed based on on-going analyses of cyber threat indicators, defensive measures and so on. According to the new law, attention will be given to the accessibility and implementation challenges faced by small business concerns. In theory, the information sharing is to be in real time (but do not assume it will be instantaneous), and there are provisions which allow for delay in the sharing of the information, for example for national security reasons or to remove information that identifies an individual. The procedures under which the federal government will share data with the private sector, and within the federal government are to be submitted to Congress no later than February 16, 2016.
The antitrust protection of the new law is limited to disclosure of cyber threat indicators or information that is exchanged or assistance that is provided with “facilitating the prevention, investigation, or mitigation of a cybersecurity threat” for information stored, processed or passing through a system.
For international traders, it is interesting to note, DHS has been designated the lead agency to receive cyber threat information from the private sector. The law goes on to assure that any data submitted shall not be used to create regulatory frameworks, and sharing of it with the federal government is voluntary and doing so does not waive any privilege or other legal protection, such as trade secrets. Further, any information so shared is not subject to disclosure under FOIA as it is considered commercial, financial and proprietary. Similarly, no cause of action lies for the sharing of the information.
When it comes to supply chain security, while any information about threats to the integrity of shipments is welcome, what international traders really want is information about more traditional security threats – those which include the physical integrity of their shipments and the third parties who service them. For example, was a specific terminal or pier compromised due to bribes or other forms of corruption? Is the operator under investigation for human trafficking or other serious violations? Are the operator’s procedures so lax there is widespread theft of goods? The federal government has data in these areas, but claims it cannot share it. Except for large companies which have their own security teams, the vast majority of international traders are left to figure out for themselves why individual shipments from specific suppliers, or from particular carriers or terminals, are consistently inspected, when the same goods from other sources are not. Is this really the most efficient means by which to enhance supply chain security?