Cybersecurity Data Sharing: A Federal Progress ReportAudit Finds Agencies Still Have Plenty of Work to Do
Certain federal agencies, especially units within the Department of Defense, still have plenty of work to do when it comes to sharing cybersecurity information and threat intelligence among themselves as well with the private sector, according to an unclassified report recently sent to Congress.
The Office of the Inspector General of the Intelligence Community, which is part of the Office of the Director of National Intelligence, published the audit.
While the audit found that substantial progress has been made on the sharing cybersecurity information and threat intelligence among agencies over the last two years, it pointed to several areas of ongoing concern, including the failure of certain Defense Department units to use appropriate policies and procedures for data sharing.
The audit was compiled by the seven inspectors general responsible for implementing the Cybersecurity Information Sharing Act of 2015, which provides a legal framework for government agencies and private sector organizations to voluntarily share cybersecurity information and other security data.
The seven federal agencies covered by CISA include the U.S. departments of commerce, defense, energy, homeland security, justice and treasury as well as the Office of the Director of National Intelligence, which helps to coordinate the sharing of this information among agencies.
CISA also requires that the inspectors general for these agencies submit reports to Congress every two years to describe the progress that they're making.
The audit found that these agencies are improving how they share information related to cybersecurity and cyber threats to the U.S as well as defensive measures that agencies are using to deter attacks and hacking.
"The OIGs determined that sharing of cyber threat indicators and defensive measures has improved over the past two years and efforts are underway to expand accessibility to information," according to the report. "Sharing cyber threat indicators and defensive measures increases the amount of information available for defending systems and networks against cyberattacks."
The audit found, however, that multiple areas of improvement in the sharing of cybersecurity and threat information are still needed.
For example, the report calls out five "components" within the U.S. Defense Department for not following all of the guidelines and frameworks outlined in the 2015 law for sharing data. The audit does not name these DOD agencies.
"Five of the eight DoD components use agency-specific policies and procedures but they are not sufficient because they do not include the statute's requirements for safeguarding and removing [personally identifiable information] or notifying entities when information received under the statute does not constitute a cyber threat," according to the audit.
Defense Department officials told the authors of the report that they did not believe that the personal data of U.S. citizens had not been exposed due to the sharing of information using agency-specific policies.
The audit also identifies several hurdles that need to be overcome to improve data sharing among several of the federal agencies that share data. It notes, for example, that:
- Restrictive classifications limit cyber threat information from being widely shared among agencies.
- Information systems at various agencies lack the ability to communicate with each other, which hampers the timely sharing of cyber threat information.
- The reluctance of private organizations to share threat intelligence because of concerns about liability must be overcome.
Private Sector Activity
The report notes that Department of Homeland Security's Automated Indicator Sharing tool, which is designed to help quickly share technical data to help organizations take defensive action, is not being used by many organizations outside of the government.
"As of June 2019, only four federal and six non-federal entities used AIS to share cyber threat information," according to the report. "DHS reported that the limited number of participants who input cyber threat information to AIS is the main barrier for DHS to improve the quality of the indicators with more actionable information to mitigate potential cyber threats."
In the audit, the inspectors general write that alerts produced by the Automated Indicator Sharing tool lack context, which makes acting on the data difficult. The audit suggests that Homeland Security upgrade this tool to make it more efficient.