Last week, the U.S. Chamber of Commerce held an event discussing the recent Presidential Policy Directive 41 (PPD-41), aimed at helping the federal government coordinate with the private sector when responding to cyber-attacks. At the event, Ann Beauchesne, senior vice president of the Chamber, posed the question of if and how the private sector will be protected from regulators when sharing cyber threat indicators. There has been concern with how the private sector will work with the government under liability protections granted by the Cyber Information Sharing Act (CISA). Andy Ozment, assistant secretary at the DHS explained the difference between sharing cyber threat indicators and actual cyber threats.
A cyber-indicator can be explained by being on the lookout for suspicious activity – a strange IP address, phishing emails and other unusual network activity, which guarantees protection when sharing information among the private sector and with the federal government. As a result, cyber indicators shared through CISA guarantee statutory protection meaning the information cannot be shared with regulators or through the freedom of information act.
A cyber-threat on the other hand, involves an actual network intrusion or break-in. While Ozment clarified that DHS will not share this information with a regulator, this does not mean the organization is protected from reporting the cyber-threat to “sector-specific regulators” if it is required to do so, which could result in legal repercussions.
While PPD-41 is establishing tools to fight cybercrime, the private sector must take advantage of these available tools. Ozment explained that industry should keep in mind several things when following PPD-41 guidelines. First, while PPD-41 deals with “critical infrastructure,” he makes it clear that when reporting both cyber-indicators and cyber threats, one should not worry about whether or not they are defined as critical infrastructure as an attack on any organization could lead to drastic effects. It is also important to build a relationship with federal and local agencies now. Once an indicator or threat is reported, the government will take care of coordinating and sharing information. Lastly, one should have a plan in place and call — if the private sector fails to report information, PPD-41 is essentially useless.