Sharing threat intelligence with the private sector at the Department of Homeland Security is hamstrung by prioritizing speed of release over adding context or other value; and because there’s no integration between classified and unclassified databases, leaving analysts with only half the picture, an agency watchdog said Monday.
“Given these limitations” to DHS’s automated information sharing (AIS) program “federal and private sector partners sometimes rely on other systems or participate in other DHS information sharing programs to obtain quality cyber threat data,” finds a report from the department’s inspector general.
The IG was mandated by the 2015 Cybersecurity Act to report biennially on the department’s efforts with regards to the AIS program. The Cybersecurity Act created liability protections for private sector companies that shared cyberthreat information with the federal government through DHS, and usher in a new era in which “indicators of compromise” — the tell-tale signs of a cyber-intrusion — could be shared instantaneously across the government and private sector.
“We determined the department faces a number of challenges to effectively sharing cyberthreat indicators and defensive measures with other Federal entities and the private sector,” wrote the inspector general. “Specifically:
- DHS prioritizes speed of distributing indicators “instead of including additional contextual information that … participants desire … Because the AIS feed is produced through an automated process, with pre-determined data fields, the information may not provide sufficient details to be actionable.”
- There are no automated tools available to analyze and share cyber threat information across classified and unclassified databases, even for analysts entitled to access both. “These databases are hosted separately and are not linked to each other for information sharing purposes … [DHS] cyber analysts we interviewed indicated that they lacked automated capability to process information from the classified repository to the unclassified database. This separation restricted the analysts’ ability to compile a complete situational awareness of a potential threat.”
- Enhanced outreach is needed to increase participation and better coordinate information sharing across Federal agencies and the private sector.