|A five-year-old program to foster information sharing between the federal government and private sector barely got passing grades with plenty of room for improvement.|
The Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) has issued its biannual report on how well DHS and the Cybersecurity Infrastructure Security Agency (CISA) are implementing the responsibilities and authorities bestowed on the agency by Congress in the “Cybersecurity Act of 2015” (P.L. 114-113), specifically the information sharing regime DHS was tasked with leading. While the OIG found progress, the quality of the cyber threat indicators and defensive measures continued to be lackluster and apparently of little value to private sector entities and federal agencies. The OIG lays out the various reasons CISA’s threat information has limited value, but until the agency starts providing useful and timely information, it is likely most potential recipients will either not opt to receive it or will discount the information they do receive. Moreover, while information sharing is probably not the silver bullet proponents of the legislation claimed, it does have obvious value in alerting organizations of cyber threats.
Apparently, CISA has not seen Field of Dreams because they thought stakeholders would just join even though what CISA was providing was of limited value. The OIG has a number of reasons for this, but it is somewhat astounding that DHS and CISA have had five years to implement perhaps the most anticipated change in United States (U.S.) cybersecurity policy and they are still muddling along. Of course, this lack of progress also begs the question of whether the conceptual framework that led to Title I of the “Cybersecurity Act of 2015” was as sound as advertised. Having lived through the marathon of bills, markups, negotiations, revised bills, amendments, etc., it is clear in my memory that private sector stakeholders insisted time and again before Congress that they could not share cyber information without liability protection because of the many lawsuits against them for doing just that (just kidding about that last part; no one ever said there was any actual litigation, but there might be.) It seemed dubious at the time to me, and still does, but they persuaded lawmakers and the Obama White House, and so it went into the bill. And yet, these entities are either not sharing information or not sharing it with the federal government.
However, aside and apart from the quality of the information CISA is providing, the OIG pointed out that CISA is receiving very little threat information from private sector partners. Why might this be? A lingering fear of litigation even though there is liability protection and such submissions cannot be released under Freedom of Information Act (FOIA) requests? Perhaps.
I also wonder if private sector entities are averse to sharing information because they fear regulation and enforcement may ensue even though the “Cybersecurity Act of 2015” has limits on how far federal agencies may go in doing either. I’m guessing that corporate counsel has argued and will continue to argue against private sector entities providing information for fear that somehow, someway it will boomerang back on companies. But, to be fair, the language in this provision relates to “lawful activities,” meaning illegal conduct that turns up in cybersecurity information shared with the federal government could be used to for an enforcement or regulatory action.
Moreover, federal agencies may use such information to tailor their cybersecurity regulation, so companies and other private sector entities may want to avoid regulation above the largely voluntary regime most entities in critical infrastructure industries face (excepting heavily regulated field like electric and nuclear power, for example.) Also, there are incentives related to information asymmetry, as always. If Company A has invested the resources to have a first-rate cybersecurity regime, why would they help Company B by pointing out dangers by submitting information to CISA, especially if they share a market and compete.
Perhaps more simply, using Occam’s Razor, private sector entities want cyber threat information and do not want to go to the trouble and expense of submitting it to the federal government. There is almost no incentive for them to share information other than the good feeling associated with helping to protect the U.S. and doing one’s duty.
Finally, this blog posting from 2015 by a “white shoe” law firm succinctly provides the type of advice that would stop most companies from participating:
In determining what information to share, a company should evaluate whether a cyber threat indicator or defensive measure implicates sensitive business information, and exercise particular care in evaluating the costs and benefits of sharing this information. It bears emphasis that CISA imposes no requirement to share cyber information, and if a company does choose to share it is free to distinguish between different types of information. As compared to more generic threat information, disclosing information about a company’s own specific cyber vulnerabilities and incidents can carry legal, competitive, and reputational risks that are far greater if that information is learned by competitors and customers. In this regard, it will be important to understand the situations in which the federal government may share and make public information received under CISA, such as in the context of a criminal prosecution. For particularly sensitive information, companies will want to focus on the ability to share on an anonymous basis, such as through an ISAC or ISAO. Public companies will, among other things, need to assess how their decision to share information under CISA may interact with their disclosure decisions under the securities laws, given that sharing cyber information with the federal government could potentially be seen as an indicator of materiality requiring disclosure in a public filing.
Finally, the OIG did not investigate information sharing within the private sector. This is outside its remit, and I suspect the Government Accountability Office (GAO) would be a better entity to take on this issue. Given all the noise made by the private sector about liability protection, very few seem to be using it by submitting information to CISA. Perhaps the information sharing market is gangbusters for ISACs or ISAOs.
Nonetheless, the OIG explained:
The DHS has addressed the basic information sharing requirements of the Cybersecurity Act of 2015. To carry out its mandate, the Cybersecurity and Infrastructure Security Agency (CISA) within DHS, developed policies, procedures, and an automated capability, known as the Automated Indicator Sharing (AIS) program, to share cyber threat information between the Federal Government and the private sector. CISA increased the number of AIS participants as well as the volume of cyber threat indicators it has shared since the program’s inception in 2016. However, CISA made limited progress improving the overall quality of information it shares with AIS participants to effectively reduce cyber threats and protect against attacks.
The OIG contended “CISA’s lack of progress in improving the quality of information it shares can be attributed to a number of factors, such as limited numbers of AIS participants sharing cyber indicators with CISA, delays receiving cyber threat intelligence standards, and insufficient CISA office staff.’ The OIG asserted “[t]o be more effective, CISA should hire the staff it needs to provide outreach, guidance, and training.”
The OIG found:
- While CISA has increased the number of cyber threat indicators and defensive measures shared with program participants, the AIS information did not contain enough detail to fully mitigate potential threats. Specifically, the AIS indicators shared with participants did not contain actionable information, including sufficient context or background details to effectively protect Federal and private networks. Examples of contextual information may include Internet Protocol addresses, domain names, or hash files, which may be helpful for determining the appropriate course of action to mitigate threats against networks.
- To determine whether CISA had improved the quality of information it shared under the AIS program, we obtained feedback from 17 AIS participants (10 Federal agencies and 7 private sector entities). Although some participants conceded the accuracy and quality of the indicators were not high, they still found the information beneficial. The feedback we obtained is outlined as follows, and shown in Figure 4:
- 11 of 17 participants (5 Federal and 6 private sector) said the indicators lacked contextual/background data for determining the appropriate course of action to mitigate threats against their networks. Additionally, some participants stated that some indicators received were false positives or unusable information.
- 6 of 17 participants (3 Federal and 3 private sector) said they had to augment the AIS indicators with additional information from other third- party sources.12
- 5 of 17 participants (4 Federal and 1 private sector) stated the AIS program was effective or helpful.
- 1 Federal agency did not express an opinion on the usefulness of the program.
- CISA’s lack of progress to improve the quality of the information shared under the AIS program can be attributed to multiple external and internal factors. External factors include the limited number of AIS participants sharing cyber indicators with CISA and the delays in receiving the cyber threat intelligence standards needed to upgrade the AIS capability. Internal factors include insufficient staffing in the CISA office to adequately support the AIS program. Collectively, these shortcomings have hindered CISA’s ability to improve the quality of AIS indicators and have thwarted outreach efforts to increase participation and the usefulness of the AIS program.
The OIG made four recommendations:
- Develop an approach to encourage Federal and private sector participants to share information with the Department and become data producers under the AIS program.
- Collaborate with the Organization for the Advancement of Structured Information Standards to expedite the approval of new standards so that the CISA can complete AIS upgrades.
- Actively promote the AIS program through increased outreach, training, technical assistance, and information sharing forums for Federal and private sector entities.
- Place priority on hiring administrative and operational staff needed to conduct outreach, training, and performance measurement to improve the AIS program’s operational effectiveness.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.