DHS Cyber Info Sharing Focuses on Quantity Over Quality, IG Says


The department is sharing a lot of cyber threat indicators with agencies and the private sector, but only a handful are useful.

The Homeland Security Department is meeting the requirements of a 2015 law that directs the department to share more cyber threat information with the private sector, but the information it’s sharing isn’t always helpful, an auditor said Monday.

Homeland Security has focused on sharing cyber threat information as quickly as possible through an automated process, but that often means recipients don’t have enough context about the threats or good ideas about how to combat them, according to the inspector general’s report.

The information sharing system was mandated by the 2015 Cybersecurity Act.

Companies and other federal agencies that are signed up to receive the cyber threat alerts also complained about technical glitches and information shared in incompatible file formats, the report said. Many indicators they did receive were false positives, they said.

“One agency representative told us that although DHS provided 11,447 cyber threat indicators in 2016, only 2 or 3 of these indicators were found to be malicious and related to cyber incidents,” the report said.

In other cases, Homeland Security didn’t offer agencies and companies enough training about how to effectively use the cyber threat information it shared, recipients surveyed by the auditor said.

The auditor urged Homeland Security to do more outreach to potential new recipients of the threat information. The auditor also urged Homeland Security to integrate its sharing systems for classified and unclassified cyber threats so recipients with security clearances could benefit from both.

Homeland Security agreed with both of those recommendation and plans to work on developing a system for integrating the classified and unclassified systems during the 2018 fiscal year, the report said.