Over-classification, a lack of policy guidance and tensions between private sector cybersecurity firms are continuing to hamper federal government efforts to share cybersecurity threat information, according to a report released Friday by the U.S. intelligence community’s top watch dog.
Friday’s report, released by the Office of the Inspector General of the Intelligence Community, concludes that while federal agencies have broadly improved their ability to share threat information and defensive mitigations long-standing policy and technical concerns are providing barriers to rapid information sharing.
The IG’s report examines how relevant federal agencies shared cyber threat information and defensive measures over the past two years through a framework created by the Cybersecurity Information Sharing Act of 2015. The report finds that the “policies, procedures, and guidelines” for sharing information are “sufficient” to carry out the requirements of the legislation and noted that “sharing has improved” in the last two years.
However, a section on barriers to sharing information among federal entities describes a set of familiar issues — to cyber pros at least — that have long been a rallying cry for improvement, including failures to be more forthcoming in sharing threat information with private sector entities.
Officials at the Department of Homeland Security told the IG that “federal entities continue to be reluctant to share information into the public collection,” the IG wrote. The officials said some entities have a preference to share “exclusively” within the federal government and others have policy requirements to only share with “their relevant sector among eligible stakeholders.”
The IG also identified tensions among government agencies regarding what information is being shared. Department of Commerce officials said they were concerned that the Cybersecurity and Infrastructure Security Agency could be sharing additional information but did not explain further. Both Justice Department and Pentagon officials told the IG that some entities are hesitant to share cyber threat information because it could jeopardize ongoing operations.
These concerns extend to the private sector. DOJ officials said that some private companies still worry that sharing information could raise legal and competitive issues, including potential anti-trust concerns. Others believe that cooperating with law enforcement could lead to negative business and regulatory consequences.
DOJ officials told the IG that “public perception of federal government actions in cyberspace, especially those of law enforcement agencies, is mixed.”
Meanwhile, the U.S. government continues to face obstacles in taking information that is classified in making it available in non-classified contexts.
Officials at the Commerce, Justice and Defense Departments noted that “cross-domain sharing” of information obtained through classified sources could not be used to mitigate potential risks on unclassified systems because agencies lacked the ability to transfer them to unclassified environments. DOJ officials, meanwhile, told the IG that they lacked the “appropriate facility security clearance to receive the information.”
Another perennial issue is that over-classification makes it difficult to share cyber threat information, said officials from the DOD, Treasury officials and the Office of the Director of National Intelligence.
Officials from DOJ, DOD and DHS all noted either a lack of funding, resources or technology like automation to process information. These resource constraints mean that the deluge of data may not be getting to the right agency or person at the right time to use.