The private sector has been pushing for greater liability protections before participating in a two-way exchange of cyber threats and vulnerabilities with the agency.
The Cybersecurity and Infrastructure Security Agency plans to have a national strategy in place to increase the quality of cyber threat information shared by all parties within the year.
“CISA will build its national cyber threat information sharing strategy in collaboration and coordination with its partners and stakeholders,” reads the agency’s response to a recent Department of Homeland Security Inspector General report on the issue. “This national strategy is projected to be completed during the fourth quarter of FY 2021. The estimated completion date is September 30, 2021.”
The IG found that while CISA had implemented the basic requirements of a 2015 information sharing law—critics at the time decried the Cybersecurity Information Sharing Act as being more about surveillance than security—it made “limited progress” on that front during 2017 and 2018. While there were a lot of participants willing to take relevant information, there were very few willing to give it, the report said, leading to poor overall quality of the data in CISA’s Automated Indicator Sharing system.
“The limited number of participants that share cyber threat information in AIS is the primary impediment to achieving better quality and more actionable information sharing,” the IG said. “Although CISA increased the number of AIS program participants (information consumers) by 142 percent between 2016 and 2018, this did not equate to an increase in the number of information producers.”
The report notes that only 2 of 188 AIS participants (1%) shared cyber indicators with CISA in 2017, and only 9 of 252 participants (3%) shared indicators in 2018. Nextgov reported that the private sector in particular, which is often privy to the most valuable information, was not sharing. During a recent event FBI Deputy Assistant Director Tonya Ugoretz said she’s envious of the intel shops some in the private sector have access to.
The 2015 law protects companies from liability associated with privacy violation and some antitrust concerns. But the industry wants more.
In a letter opposing cyber intelligence sharing and threat hunting provisions in the National Defense Authorization Act, major industry groups cited liability concerns.
Last September, CISA’s Information and Communications Technology Supply Chain Risk Management task force—co-led by representatives of the trade associations for big tech and telecom companies—recommended exploring legal barriers to information sharing and possibly removing them through legislative action. And the National Cyberspace Solarium Commission, which included industry leaders, recommends giving systemically important private-sector entities legal immunity for cooperating with the government on cybersecurity.
Leading up to completion of its national strategy next September, CISA concurred with other recommendations the IG made and committed to hiring staff to support AIS and completing a roadmap to improve its operational effectiveness by the first quarter of fiscal 2021. By March, CISA also plans to make upgrades to AIS and have a communication and outreach strategy to engage the cybersecurity community “through various forums.” And by December of this year, the agency plans to update AIS submission guidance to include step-by-step instructions.
It is unclear whether any of the steps outlined will include granting additional liability protections to the private sector.
The IG’s report notes, “without more data producers, CISA cannot achieve the National Cybersecurity Protection System’s primary objective to prevent cybersecurity incidents from occurring through improved sharing of threat information.”