Watchdog finds ‘sufficient’ cyber threat sharing at agencies, but barriers remain

Cyber threat information sharing within the government has improved over the last two years, but challenges remain, according to a recent oversight report.

The biennial report from the Office of the Inspector General of the Intelligence Community examines the implementation of the Cybersecurity Information Sharing Act of 2015 — meant to improve the voluntary sharing of cyber threat indicators and defense measures in and out of government — in calendar years 2021 and 2022.

The joint report to Congress involves input from inspectors generals at the departments of Commerce, Defense, Energy, Homeland Security, Justice and Treasury and the Office of the Director of National Intelligence. 

The report details efforts and tools at ODNI — like its Intelligence and Community Analysis and Signature Tool, meant to share intelligence at the top secret and unclassified levels — and the Cybersecurity and Infrastructure Security Agency — including its Automated Indicator Sharing capability, meant to share unclassified information in real-time between government and private sector.

The report found that “policies, procedures, and guidelines” in the federal space are “sufficient” for sharing cyber threat indicators, but even so, difficulties remain. 

There’s a reluctance to share outside of the government itself, according to the report, which notes that “some prefer to share exclusively within the federal collection” — such as the Commerce Department, which was found to only share with other federal entities when required to do so — and “others may have policy requirements to share only within their relevant sector among eligible stakeholders,” according to DHS officials cited in the report.

DOJ officials reported hesitation among some private companies, too, that “believe sharing such information may raise legal and competitive issues, including implicating potential antitrust issues.” There are also concerns that sharing with law enforcement could hurt business or lead to regulatory consequences.

Others, specifically those from ODNI and DOD, expressed concerns about over-classification making it hard to share information, while officials from Treasury worried that such practices may delay the ability to use information because of the effort required to declassify and move indicators to unclassified systems. Others reported difficulties in transferring information from classified sources to unclassified systems at all. 

Finally, resource constraints related to the number of personnel to review incoming information were also cited as barriers to effective information sharing by some agencies. 

Treasury also noted concerns about sourcing for cyber information — “the fewer the number of controls on the upload side, the higher the probability of bad indicators becoming part of the product” — and a few other agencies pointed to problems with CISA’s tool in that it provides unvetted, raw information and isn’t easily searchable.