In a wide-ranging audit by Inspectors General (OIGs) spanning more than seven key agencies, only one – the Department of Defense – was flagged for lack of compliance with the Cybersecurity Information Sharing Act of 2015, which promotes the sharing of cybersecurity threat data.
OIGs reviewed implementation of the law throughout 2017 and 2018 at DoD, the Department of Commerce (DoC), the Department of Energy (DoE), the Department of Homeland Security (DHS), the Justice Department (DoJ), the Treasury Department, and the Intelligence Community. In a report released on Dec. 20, the OIGs concluded that the Federal government’s sharing of cyberthreat indicators has continually improved.
DoD, however, still struggles with compliance, the report says. Auditors explained that DoD’s agency-specific policies for cybersecurity information sharing did not meet requirements for safeguarding and removing personally identifiable information (PII). Additionally, DoD’s alert system does not clarify when information constitutes a cyberthreat.
Despite general governmentwide improvements, the OIGs did note four barriers preventing agencies from excelling at cybersecurity information sharing:
- Information sharing is limited by restrictive classifications;
- Machines’ inability to communicate with one another reduces the speed of information sharing;
- Private sector organizations are unwilling to share cybersecurity information because it is not clear if the legislation will protect them from liability; and
- Challenges with DHS’s Automated Indicator Sharing (AIS) service deters agencies from using it.
AIS is intended to bridge communication between Federal agencies and private sector groups, and to increase the speed of threat data sharing. Private sector organizations told auditors they were wary of using the service because it did not provide enough context to be useful.
The Intelligence Community Security Coordination Center (IC SCC) shared forthcoming efforts to improve cyberthreat information sharing. The organization is planning and developing further deployment of the Intelligence Community Analysis and Signature Tool (ICOAST) to increase secret and unclassified information sharing between qualified personnel, and is working with DHS to integrate AIS with ICOAST.