GAO Calls for Better Info-Sharing by ONCD and CISA After Cyberattacks; May be Inconsistent with New Mandates
Information sharing has seemed like the “holy grail” of federal cyber policy: sought after but elusive, especially to those who think it will solve their problems. At a time of increased regulation and looming mandates for incident reporting and collaboration, the United States is looking at how to improve information sharing. In 2015, Congress passed, and President Obama signed, the Cybersecurity Information Sharing Act (CISA 2015), which included protections for information voluntarily shared with the federal government. As policymakers look to do more on cyber, CISA 2015 appears largely overlooked, while the Government Accountability Office (GAO) confirms that more work remains to be done by some key players that otherwise are moving toward regulation.
GAO’s report adds an additional layer to ongoing cyber initiatives sweeping across the federal government. Earlier this year, the White House released its National Cybersecurity Strategy (Strategy) as well as a corresponding implementation plan in July. The implementation plan included, among a large swathe of other proposed actions, eight initiatives that focused on addressing cyber threat information sharing challenges. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS) has been engaged with its cyber incident notification rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
GAO recommends better information sharing with and by the federal government
The GAO report recommends that the Office of the National Cyber Director (ONCD) and CISA work harder to promote information sharing to protect critical infrastructure from cyberattacks. According to GAO, federal agencies and critical infrastructure owners and operators must share information to tackle increasingly complex cyber threats, but long-standing challenges involving security concerns and timeliness make this harder. GAO recommends that ONCD identify outcome-oriented performance measures for cyber threat information sharing. GAO also recommends that CISA conduct a comprehensive assessment of whether the current state of sharing methods used by critical infrastructure agencies is optimal. Recent cyberattacks raise serious concerns about the security of federal information sharing efforts.
GAO embarked on this study of cyber threats to the nation’s critical infrastructure, in which policymakers want federal agencies and critical infrastructure owners and operators to share cyber threat information. GAO recognizes that ONCD and CISA lead federal efforts to coordinate on national cyber policy and the security of critical infrastructure. Accordingly, GAO examined (1) how federal agencies and critical infrastructure owners and operators share cyber threat information, and (2) challenges to cyber threat information sharing and the extent to which federal agencies have taken action to address them.
The GAO report takes the view that, due to a lack of assessment criteria for information sharing activities in the Strategy and implementation plan, ONCD should create outcome-based performance measures. The report notes that ONCD officials have stated that “performance measures will be developed, as appropriate, for the assessment of cyber threat information sharing activities.” However, GAO highlights that ONCD has not yet provided a timeline for creating such measures. The report also states that ONCD agreed with GAO’s findings on outcome-oriented measures but disagreed on the recommendation that it identify any performance measures, due to a lack of existing measurement resources. GAO countered that the recommendation is feasible for ONCD to implement.
As for CISA, GAO conducted a survey of 14 federal agencies and 7 non-federal agencies’ cyber threat information sharing practices. GAO found that existing information sharing occurs through a mix of centralized and federated, sector-specific information sharing approaches. The report notes that the implementation plan lacks a process for assessing whether this current mix is optimal. Accordingly, ONCD recommends that CISA assess whether the current cyber threat information sharing measures should be retired in favor of centralized or federated approaches. The report also notes that, “agencies may be able to better address the challenge of lack of timely sharing if federal agency resources that are spread across centralized and federated approaches were aligned under a single approach.”
The GAO recommendations were published just days before reports of a recent cyberattack targeting a prominent government contractor that may have compromised physical security information concerning the Department of Homeland Security. This comes as news reports indicate that Chinese hackers obtained 60,000 emails from the Department of State—on the heels of an earlier compromise of both the Commerce and State Departments.
As government and contractor information systems remain targets for malicious cyber actors, more needs to be done to encourage the meaningful sharing of information and to protect critical systems from continual cyberattacks.
DHS and other agencies, like the Securities and Exchange Commission and the Federal Communications Commission, may consider this GAO report as they develop reporting mandates and information sharing platforms. As we recently discussed in our Wiley Connect Podcast, How to Fix the Cyber Incident Reporting Mess, multiple and proliferating reporting regimes can stress—or render superfluous—voluntary information sharing regimes.