Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

June 2019
If the public and private sectors don’t cooperate on cybersecurity, CISA’s job of protecting critical infrastructure is impossible.
The United States government doesn’t seek to cooperate with the private sector on cybersecurity just because it sounds nice, like some Golden Rule of cyberspace. In truth, it doesn’t have much choice. About 90 percent of the country’s critical infrastructure is in private hands. And if that infrastructure isn’t protected, cybersecurity is a pipe dream. That’s why the Department of Homeland Security’s lead organization in this area is called the Cybersecurity and Infrastructure Security Agency. And its mission requires it to work closely with companies that must safeguard critical infrastructure.
     Daniel Sutherland, who is CISA’s chief counsel, oversees a department of 30 lawyers that he expects will reach 40 by year’s end. The department essentially functions as a general counsel’s office, he says. But if CISA is to achieve its goals, it needs to reach the hearts and minds of  other general counsel, whose companies need to understand that sharing threat information with CISA will enhance the country’s cybersecurity without compromising their companies’ data. The problem, says Sutherland, is that “many in the legal community do not know our agency or understand what we offer to their company or to their client.” He aims to change that.

CyberInsecurity News: What is the Cybersecurity and Infrastructure Security Agency?
Daniel Sutherland: CISA leads a national effort to understand and manage cyber and physical risks to our critical infrastructure. We are an operating component of the Department of Homeland Security. We are a nonregulatory, non-law enforcement, nonintelligence community interface between the public and the private sectors. 

CIN: It was rechristened last year, in November. Why the change, and how is CISA different from its predecessor, the National Protection and Programs Directorate?
DS: It had been an office attached to the headquarters of DHS for a number of years. It was stood up with a few hundred people, and we’ve now grown to approximately 4,000 and a budget of over $3 billion. Obviously the mission space in cyber has grown dramatically in these past years, and so the Congress has decided that, rather than be an office attached to the headquarters, CISA needs to be an operating component within the department, just as we have TSA, FEMA, Coast Guard, Secret Service and the others. 

CIN: What does CISA do that can benefit companies? 
DS: We know that we have to work side-by-side with our stakeholders—other federal agencies and private-sector organizations—to help empower them to defend against the threats that they see, and partner with them to build more secure and resilient infrastructure in the future. We have to have those partnerships with our stakeholders—that’s the only way that infrastructure security can operate. 
We do four things. First, we provide comprehensive cyber protection. We provide incident response teams. We do information sharing. We provide tools and capabilities—very large procurements across the federal government that allow us to monitor the traffic coming in and out. We operate the NCCIC—the National Cybersecurity and Communications Integration Center LINK https://www.dhs.gov/cisa/national-cybersecurity-communications-integration-center, which is the largest cyber operations center in the civilian government. Second, on the physical side, we coordinate security and resilience efforts with infrastructure owners and operators around the country. For example, we help them do assessments of the security of their facilities, like shopping malls and sports stadiums. The third thing is that we enhance public safety emergency communications. And the fourth thing we do is operate the National Risk Management Center, LINK https://www.dhs.gov/cisa/national-risk-management which is the part of our agency that works to identify areas of infrastructure risk, conduct in-depth analysis of those risks and then pull together teams to address the most significant risks.

CIN: How about law firms? What does CISA do that benefits them?
DS: One of the things we really want to stress is that this agency has capabilities and tools that will be of great benefit to the private sector, and therefore those who are in-house attorneys will recognize that this is an agency that has something to offer their companies. And law firms will recognize that their clients would benefit from understanding the tools and abilities of this agency.

CIN: Do you quantify how many companies and law firms have been in touch in order to avail themselves of some of the services you offer?
DS: First, I think it’s important for law firms and corporations to understand that protecting the nature of communications is central to what we do. It’s important for companies to know that their communications with us—we understand the sensitivity, and we protect them.
     Although we do not identify specific companies that engage with us, there are some ways to quantify the impact we are having. Let me give you three examples. First, under our machine-to-machine sharing program, CISA has shared more than 5 million unique cyber threat indicators in the last three years. As another example, we have generated over 30,000 cyber hygiene reports in the past six months—reports analyzing vulnerabilities that have been provided to over 1,000 companies, state and local governments, and federal agencies. One last example: In fiscal year 2018, CISA responded to over 2,100 requests for incident response support coming from all 16 critical infrastructure sectors, and we deployed 33 incident response teams to provide on-site analysis and support.

CIN: The services you’re describing—are they free to the organizations that seek them?
DS: All of the services that we provide are free. Congress appropriates the funds for us to provide these services. But we don’t have unlimited resources. So we have to prioritize where we’re sending our teams. We prioritize according to the type of incident or threat. For example, if it’s something we believe is involving a nation-state, or if it involves something in the critical infrastructure area—those are the types of factors that go into the decisions we make in prioritizing where to send our teams.

CIN: What can companies and law firms do that can benefit CISA?
DS: The biggest thing they can do is come to understand what CISA offers—what our mission is, what the services we offer are, and how they can engage with CISA in ways that do not compromise the confidentiality of their proprietary information. Attorneys can also benefit themselves and us by understanding the legal frameworks associated with the provision of these capabilities and tools. We often find that chief information officers [CIOs] of companies will want us to come and send a technical team to help with some sort of incident that they are experiencing. But then we need to discuss the issue with their lawyers and explain the legal frameworks, and that takes valuable time. So that’s one key thing that in-house and outside counsel can do: understand the legal frameworks associated with the provisions of these services.

CIN: You’ve talked about information exchanges. Is there information that companies may have about specific threats that could be valuable to you in order to help protect critical infrastructure?
DS: Yes. Congress has created the structures for an information-sharing environment. In the Cybersecurity Information Sharing Act of 2015, it tried to identify what the major obstacles were to information sharing, and then eliminate them. The reason was simple. Congress recognizes that, in the cyber context, if we share information with one another about the threats that we are either facing or could face, we have a better chance of collectively defending. Because if one company gets hit by a particular malicious attack, the likelihood is that a dozen or five dozen other companies are going to be subject to the exact same attack.

CIN: We’ll come back to that. Let’s turn for a moment to the Office of the Chief Counsel. What are the responsibilities of the office that you direct?
DS: We are responsible for providing legal support for our clients across CISA. We are embedded with our clients and are very much part of the operational tempo of the agency. Our legal practice includes negotiating complex technology agreements, protecting intellectual property, representing the agency in litigation, explaining the agency’s capabilities and tools to legal counsel for companies, representing the agency’s interests in audits and congressional oversight, dealing with labor and employment law issues, and handling ethics and conflicts issues. What we do is very similar to what the office of the general counsel within a corporation would do. We are the office of the general counsel for this agency.

CIN: What are the lawyers’ responsibilities?
DS: We have attorneys in every specialty that is common to an office of general counsel. For example, litigation, oversight, labor and employment law, ethics. We have a number of attorneys who sit inside our cyber operations organization, and we provide daily operational advice to them about the types of legal agreements they need in order to go and work on responding to some sort of cyber incident—how to negotiate those agreements, what the terms are and what our legal authority is in those areas.  But we also have a number of specialties that specifically relate to the federal sector. Like privacy law. We advise CISA’s Privacy Office on a variety of issues associated with the confidentiality of sensitive information. Or fiscal law—what is our agency authorized by Congress to spend money on? Or regulatory law—how do we advise our clients on developing or responding to regulations that impact our work? We also have specialists in the area of public-private partnerships. A big area of our practice, because that’s a big foundational element of our agency, is: How do we have forums in which the private sector can share sensitive security information with the government? There’s a very large practice of law there.

CIN: What do you look for in the lawyers you hire?
DS: The type of attorneys that we are looking for are people with broad experience, because when we talk about infrastructure security law or cybersecurity law, it’s not a single discipline in and of itself. It’s a number of different areas of law applied to the context of infrastructure security and cybersecurity. So we need people with a broad background in litigation, contract negotiation, legislation, regulation and other areas like that. The second thing we look for is people who have a background in technology. The third thing we look for is, when we can’t find people with that kind of background—for example, someone who was a software programmer before law school—we look for people who have curiosity about technology. In other words, you don’t need to bring a technological background to this position, but you do need to bring a desire and a curiosity to learn about it.

CIN: What have been the biggest surprises so far in the job?
DS: When I started in our predecessor organization about five years ago, our focus was primarily on criminal activity in the online environment. In other words, criminal networks engaging in data breach activity to try to make money. Now our focus is overwhelmingly on nation-state activity. The level of complexity is far higher, from a technical sense, but also for a practicing attorney.

CIN: What do you see as the biggest challenges you face?
DS: The biggest challenge we face is the dynamic threat environment. The threats that our country faces are changing and becoming more complex. We as attorneys have to have a good understanding of that threat environment to provide effective legal advice. The second big challenge is explaining to our colleagues in the legal community what our agency does and what capabilities and tools we offer them.

CIN: Can you tell us about the litigation you face?
DS: We are involved in litigation as the client agency. The Department of Justice goes into federal court for any federal agency; they do for us as well. For example, two years ago, the then acting secretary issued a directive to other federal agencies that a particular company’s anti-virus products and services should not be used anymore. That company was the Kaspersky Lab. That ultimately ended up in court. The Department of Justice represented us, and we were involved as the client agency. We prevailed at both the district court and the Court of Appeals for the D.C. Circuit.

CIN: What about Freedom of Information Act [FOIA] litigation?
DS: Information law is a huge area of our practice because, in part, our agency is about the sharing of information and, to the greatest extent possible, being transparent about the information we have. Information law is extremely important to us because, while we want to be as transparent as possible, we work very hard to protect the sensitive and proprietary information shared with us by the private sector. Hypothetically, if a company shares with us their security plans that relate to a number of different facilities that they have around the country, and they want to improve those plans through a dialogue with us and benefit from our expertise—these are not appropriate to be released through the Freedom of Information Act.
Therefore, we work hard to protect that sensitive and proprietary information, to the extent that we can. Occasionally issues like that end up in litigation, where we have had a great deal of success.

CIN: Are there common misperceptions or misconceptions about your agency and what it’s doing?
DS: I think the first problem we face is that many in the legal community do not know our agency or understand what we offer to their company or to their client. So it’s a lack of knowledge of what we do that’s the primary issue. For those who are familiar with the area of cybersecurity, there’s a lack of understanding of the legal frameworks associated with the protection of information sharing. Congress has worked extremely hard on this over the past several years to create a number of statutory protections for companies to share information with us and receive information from us. And we believe that the legal community is not fully aware of the extent and the depth of the information-sharing protections that Congress has provided.

CIN: Is there sometimes tension between your organization and companies over any of these issues?
DS: There is a tension. There’s an education process, and then, once a company understands what we offer, there’s a question of them getting a level of trust and confidence in what we’re going to bring to them—how we’re going to benefit them, and how they’re going to benefit the larger information-sharing environment. By sharing their information with us, we can share it with others who will be better protected.

CIN: How do you overcome the gaps?
DS: First is education. We tell people about the legal framework and what we provide. The second thing is relationship building. We have a number of forums that we host where companies and other federal agencies can exchange information with us and with each other. That builds a level of communication and trust. And, finally, there is the value of success stories—of seeing where we have established value, and then others learning from that success story and realizing that they can get some good services from this agency as well.

CIN: Can you tell us some success stories that are examples of what you’re talking about?
DS: Sure. The first one that comes to mind is the large Office of Personnel Management [OPM] data breach a few years ago. It was a wake-up call for federal agencies. Many in the private sector had had those kinds of extremely large incidents before—some of the really large companies. The federal government had not had that before, and this incident really catalyzed the federal sector in a whole new way. We’re in a different place now, in terms of the security of information maintained in the federal agencies.
     Another example I can give you is in the election infrastructure context leading up to the 2018 midterm election. We invested a tremendous amount in trying to help those who operate networks associated with elections around the country to build security. We sent unclassified threat alerts. We helped establish organizations like the Election Infrastructure ISAC, which went from being a brand new organization to hundreds of members. We organized tabletop exercises. We had a 24/7 Election Day operation center, where election officials around the country could send to us, either virtually or even sitting in person in our room, issues that they were seeing. So that was a real area of success, and a model we’re building for 2020.

CIN: Let’s go back to the Office of Personnel Management. If we mentioned that organization in the context of cybersecurity to people who are knowledgeable on the subject, they would associate it with a huge failure. Do you think you have been able to share subsequent success stories adequately for people to understand that after that very large failure, there have been government successes?
DS: I think it’s well understood that the federal sector is at a completely different place than we were prior to this incident. There are new statutory authorities, so Congress recognized some gaps that needed to be filled. There’s a new energy across the federal agencies. There’s more cooperation. For example, one of the new statutory authorities that Congress gave us is to issue binding operational directives. We did not have that authority prior to the OPM incident, and so Congress has allowed the secretary to issue a directive to the other agencies that they must do certain things, and that’s been received very well by the agencies. And we have judiciously used that on some high-profile and important issues. For example, CISA just released a new directive that requires that federal agencies move faster in patching vulnerabilities. In 2015 we instituted a requirement that federal agencies patch vulnerabilities within 30 days of a patch becoming available. However, empirical evidence from government and industry continues to demonstrate the need to remediate significant vulnerabilities closer to the time of detection. Therefore, the new directive requires agencies to patch critical vulnerabilities in half the time.

CIN: How important is your automated indicator sharing [AIS] program?
DS: It’s one of the most important information-sharing platforms available, although I will emphasize that AIS is only one of them. It’s a particular type that’s for companies that have the sophistication to receive machine-to-machine communications. It’s also related to a very specific type of information—cyber threat indicators and defensive measures. We have other information-sharing platforms that are more person-to-person exchanges or analyst-to-analyst exchanges. But AIS has been an extremely important development these past couple of years, since Congress required the establishment of that program in late 2015. And it’s growing. We now have a number of different countries feeding into our feed and receiving back from us. So it’s a very rich source of data.

CIN: There are other information-sharing programs run by other organizations like the National Cyber-Forensics & Training Alliance [NCFTA]. Do you communicate with any of them?
DS: If we can push our information out to an information-sharing organization that has 10,000 members, that’s fantastic. We don’t need to be connected to every one of those 10,000 members. We can push our information and receive information from that information hub. We understand that there are many of these nodes, and we hope to be a valuable player in that environment.

CIN: What are three takeaways you want to leave in-house lawyers with?
DS: We hope that attorneys will understand who does what in the cybersecurity field. We hope that they will understand specifically what CISA brings to the table, what capabilities and tools and resources we have that can benefit their company. And we hope that they will learn and study the basic legal frameworks associated with cybersecurity—the constitutional provisions, the statutory provisions and the main policy directives in this area.