Since its certification in March, participation in the Cyber Information Sharing Act (CISA) has been going slow, DHS officials say. This new law, which encourages reciprocal sharing of cybersecurity data breach and cyber threat information between the federal government and the private sector, has some “lingering legal questions” regarding the law’s liability protections that have created some hesitation for corporate executives. “I think some people are just taking a wait-and-see approach,” said one industry lawyer who advises clients on the risks and benefits of sharing cyber-threat information with DHS. “The law does not protect you from having lax security measures, anything you provide to the government about your vulnerabilities would be discoverable in court when you get sued.”
In response to the lingering legal questions that could prevent private companies from sharing information with a federal entity, DHS has announced plans to issue a final info-sharing guidance on June 15 in efforts to clarify the benefits and risks of sharing cyber-threat information with the DHS and among other private organizations. “The law was written based on what could get passed, not on what would get companies to share,” said one lawyer. “You get what you pay for,” he said, suggesting that the liability exemptions incentive might not be enough to convince company executives to share such private information, especially in the post-Snowden era. Nonetheless, it is important to note that before information gets disseminated to other government organizations, DHS has been given the role to scrub personal information from any cyber-indicators shared with the government.