The Department of Homeland Security (DHS) has met the requirements of a two-year old law to establish policies and procedures to share cyber threat indicators with the private sector and other federal agencies but the data could be better presented and more needs to be done to increase participation in the sharing effort, according to a new report by the department’s internal watchdog agency.
Despite meeting the requirements of the 2015 Cybersecurity Act, the “Department faces challenges to effectively sharing cyber threat information across Federal and private sector entities,” the Inspector General report says. “Given that NPPD (National Protection and Programs Directorate) emphasizes timeliness, velocity, and volume in cybersecurity information sharing, the system DHS currently uses does not provide the quality, contextual data needed to effectively defend against ever-evolving threats.”
The NPPD oversees the department’s around-the-clock cyber watch center, the National Cybersecurity and Communications Integration Center and Computer Emergency Readiness Teams.
The Cybersecurity Act, which has bipartisan support in Congress and was signed by former President Barack Obama, calls for DHS to establish guidelines and mechanisms for the sharing of cyber threat indicators between the government and the private sector, and within the government. One of the mechanisms is the Automated Indicator Sharing (AIS) program to voluntarily share cyber threat indicators and defensive measures in real time.
The law also provides limited liability protections to the private sector for voluntarily sharing cyber threat indicators that cross their computer networks with DHS.
In addition to the need to share more contextual information around cyber threat indicators, the IG says that a “cross domain solution and automated tools are lacking to analyze and share cyber threat information timely.” It says that classified and unclassified cyber threat data is kept in separate repositories but DHS cyber analysts have to manually process data from the classified system to the unclassified system to gain greater situational awareness of threats.
Even though DHS has done outreach to bolster participation by federal agencies and the private sector in the information sharing regime, the report says some users have provided mixed reviews about the quality of the information that has been shared by DHS. It also says that that some users don’t feel that DHS has provided enough training around the cyber threat indicators and defensive measures that it shares.
“The persistent challenges we identified in information sharing indicate that DHS’ adherence to existing legislation alone has been inadequate to ensure that contextual cyber threat indicators or defense measures are shared between Federal entities and the private sector in ways to aid effective responses to evolving threats,” the IG says. “Proactive measures on the part of the Federal and non-Federal partners may be needed to ensure the sharing of quality cyber threat information with sufficient details to detect malicious actors, mitigate anomalies, and mount viable defense.”