The government’s only laggard complying with the Cybersecurity Information Sharing Act of 2015 is the Defense Department.
Most federal agencies continue to improve the cyber threat data they share but several barriers remain, according to a joint report submitted to Congress in December.
The report was compiled by the inspectors general of seven agencies legally responsible for executing the Cybersecurity Information Sharing Act of 2015, which created a framework for the voluntary sharing of cyber threat indicators and defensive measures between federal agencies and the private sector. The CISA Act applies to the departments of Commerce, Defense, Energy, Homeland Security, Justice and Treasury, and the Office of the Director of National Intelligence, and requires IGs from those agencies to compile Congressional reports on the law’s implementation every two years.
“The OIGs determined that sharing of cyber threat indicators and defensive measures has improved over the past two years and efforts are underway to expand accessibility to information. Sharing cyber threat indicators and defensive measures increases the amount of information available for defending systems and networks against cyber attacks,” the report said.
However, auditors dinged five Defense Department components for using insufficient policies and procedures when “sharing, receiving, or disseminating cyber threat information.” Auditors faulted the Defense Department components for opting to use agency-specific policies and procedures that were “not sufficient” because they do not meet the CISA Act’s statute for safeguarding and removing personally identifiable information or “notifying entities when information received under the statute does not constitute a cyber threat.”
While the CISA Act mandates the creation of a framework to share threat information, it doesn’t mandate all agencies or nongovernment entities use it. According to the report, one of the chief barriers hindering better threat sharing is the lack of participation from industry, with “minimal” nongovernment entities using the government’s Automated Indicator Sharing tool.
“As of December 2018, 252 federal and non-federal entities and 13 international computer emergency response teams were connected to receive cyber threat information from AIS. However, DHS has only experienced a slight increase in the number of data producers sharing cyber threat indicators and defensive measures using AIS and, as of June 2019, only four Federal and six non-Federal entities used AIS to share cyber threat information,” according to the report. Homeland Security sees the limited participation as its main barrier to improving the quality of the data.
Other barriers the info sharing program face include classification issues that keep some threat information from being widely shared; the inability of machines to communicate with each other, reducing the speed at which threat sharing occurs; uncertainty about the protection from liability provided by the statute and challenges with the AIS tool that deter its use.