The Department of Defense’s new voluntary program for sharing cybersecurity threat information between contractors and the department has raised concerns over liability protections and fairness, according to public comments and outside experts.
The Defense Industrial Base Voluntary Cyber Security and Information Assurance (DIB CS/IA) program, codified as a Final Rule on Oct. 22, will ask contractors to share threat risks so that they can be distributed to the DoD and other contractors in the defense community. Similar to the Cybersecurity Framework for critical infrastructure, DIB CS/IA will not be a mandated program and will not be subject to congressional oversight. DoD has previously engaged in information sharing activities with the defense industrial base, but the new rule marks the formalization of the process.
Public comments on the Federal Register said the information should not be exempt from Freedom of Information Act (FOIA) requests and terms of the Privacy Act. DoD’s response suggests that the department will work to protect the information from these provisions: “Confidentiality of such sensitive information exchanged under this program will be protected to the maximum extent authorized by law, regulation, and policy. This includes taking appropriate measures, including the use of any applicable exemptions under FOIA or the Privacy Act.”
Another comment questioned whether DoD will adequately remove personally identifiable information from contractors’ submissions. In response, DoD said, “The DIB participants remove unnecessary sensitive information (e.g., PII), and only share information if it is relevant to a cyber incident (e.g., for forensics or cyber intrusion damage assessment).”
Furthermore, the department intends to anonymize the individual companies when it distributes threat information. Jerry Ferguson, co-chair of the privacy and data protection team at law firm BakerHostetler, said redacting company names may not be enough.
“The reality is that within the defense community, given how much each competitor knows about the other competitor, it may be difficult to truly anonymize the contractor,” he said.
Although not addressed in the Federal Register comments, there is also the issue of whether a lack of confidentiality may lead to companies becoming liable for any sensitive information that they share, according to Ferguson. The Final Rule does not grant immunity in the event of a lawsuit.
“It does create some risk for participating companies that their dirty laundry may be aired,” he said.
Ferguson also questioned whether companies will be treated unfairly if they do not volunteer for the program when it comes to contract awards.
“It’s certainly fair to make sure that that contractor has the highest security standards…and therefore, if that contractor is not participating in that program, they’re going to have to have a good reason why they’re not and why what they’re doing is better,” he said.
The Final Rule specifically addresses this issue: “DIB participant’s voluntary participation in this program is not intended to create any unfair competitive advantage or disadvantage in DoD source selections or competitions, or to provide any other form of unfair preferential treatment, and shall not in any way be represented or interpreted as a Government endorsement or approval of the DIB participant, its information systems, or its products or services.”
Overall, Ferguson said he supports the information sharing efforts, but he wants potential risks to be recognized.