GAO: Gov-Biz Info Sharing Needs to ImproveIndustry Gripes About Lack of Actionable Threat Data from Feds
Fewer than one-third of private-sector respondents surveyed by GAO reported they received actionable cyber threat information and alerts to a great or moderate extent.
According to GAO, 98 percent of surveyed business leaders had great or moderate expectations that the government would deliver timely and actionable cyber threat information, but only 27 percent said they received it. Similarly, 87 percent of private-sector respondents had great or moderate expectations that they'd have access to actionable classified or sensitive information, such as intelligence and law enforcement information, but only 16 percent reported those expectations were met.
GAO said federal officials are taking steps that could address key expectation, including the development of new information-sharing arrangements, such as through the Department of Homeland Security's National Cybersecurity and Communications Integration Center. Yet, David Powner (pictured), GAO director of IT management issues, wrote in the 38-page report that much work remains to be done to implement fully improved information sharing.
White House Cybersecurity Coordinator Howard Schmidt did not respond to the GAO's findings, but the Department of Homeland Security did, and generally concurred. Still, Jerald Levine, director of DHS's liaison office with the GAO and Office of Inspector General, said in a written response that it's important to distinguish between actionable information and classified information in regards to threats.
"There appears to be a sense that the private sector could better secure its networks if it had access to actionable classified information," Levine wrote. "The difficulty is that sharing classified information in an open environment or with non-cleared personnel poses risk to national security. As such, classified information is generally non-actionable, and instead provides contextual threat information - focusing on the 'who.' This information needs to be shared with cleared private-sector partners, and mechanisms are in place and being further developed to enable such sharing.
In an interview with GovInfoSecurity.com earlier this month, just over a week before the GAO made its report public, the director of the DHS's United States Computer Emergency Readiness Team said he has noticed significant improvement in information sharing between the private sector and government since he joined U.S.-CERT three years ago as deputy director. But Randy Vickers, who became U.S.-CERT's acting director a year ago and permanent director in March, agrees that there's room for more improvement on information sharing with the business community. "Are we where we need to be? Not yet, but we are making great strides to be able to share information with individual organizations and companies," he said.
Vickers cited pilot programs DHS is conducting with business to improve information sharing. "We're learning where those gaps are and trying to fill those gaps with capabilities to share information with industry," he said."
Public-sector stakeholders surveyed by GAO said their expectations of private-sector information sharing weren't always met, either, especially when it involved sensitive data. "Some private sector stakeholders do not want to share their proprietary information with the federal government for fear of public disclosure and potential loss of market share," Powner said.
"Without improvements in meeting private and public sector expectations," he said, "the partnerships will remain less than optimal, and there is a risk that owners of critical infrastructure will not have the information necessary to thwart cyber attacks that could have catastrophic effects on our nation's cyber-reliant critical infrastructure."
Congressional reaction was swift but not specific. The three House members who requested the study - the chair of the Homeland Security Committee and two of its subcommittees - called for better cooperation between DHS and business, but didn't suggest any immediate legislative action. "Given the growing nature of the threat, DHS and the private sector must commit to cooperative efforts to ensure the safety of our nation's cyber infrastructure and security of the critical functions it provides," Committee Chairman Bennie Thompson, D-Miss., said in a statement.