What CISA means for businesses in the public cloud

By Datalink
11/16/2016

Last year, President Obama signed the Cybersecurity Information Sharing Act (CISA) of 2015 into law, as Division N of the Consolidated Appropriations Act. While there are four cyber components to Division N, CISA arguably has some of the most far-reaching implications. Many don’t know how to interpret this law and what it means for the public cloud, which is why we’re going to dig a little deeper and answer some common questions below.

What is the CISA?
From a high-level, the CISA is meant to authorize the sharing of unclassified cybersecurity information (“cyber threat indicators” and “defensive measures”) between state, local, tribal, and federal governments as well as the private sector.  This includes sharing data on how networks have been attacked and how the attacks have been successfully detected, prevented, or mitigated. The law also requires the federal government to release best practices, which organizations can use to further advance their cyber security.

So, what’s the problem?
You’re probably thinking, “This law sounds like any other typical law… boring.” Well, this is where it gets interesting – and a bit more complicated – because CISA has a provision on immunity that is raising concerns. CISA authorizes companies to monitor their information systems as long as it’s for the purpose of protecting the information or information systems. The law grants businesses full immunity from government and private lawsuitsthat may arise out of CISA-compliant monitoring.

However, CISA also states that businesses must also do the following:

  • Determine whether any Personal Identifiable Information (PII) is included in the information shared with the federal government.
  • Remove the PII if it is not “directly related to a cybersecurity threat.” This is ONLY for PII that is known at the time of sharing.
  • Develop ways to scrub this PII data. However, scrubbing large datasets quickly is not going to be easy, if even possible.

What does this mean for the public cloud?
For businesses using a private cloud, they can control if and what they will share with the government in relation to CISA. In a public cloud, however, businesses lose this control, as well as their rights to data that may become classified as a “cyber threat indicator.” Not only do they lose control, but they also lose the right to sue the cloud provider. And in many cases, businesses may not even realize they are giving up this right.
  
Take the next step
Does this mean everyone should pull their data from the public cloud? Of course not. It does confirm that navigating to the public cloud is not as easy as a click of a button and a credit card. It also means that businesses need more help than ever to navigate their cloud strategy.

We’re here to lead you through the questions of the public cloud. Learn more through Datalink’s Cloud Strategy and Workload Workshop.