IG Report Finds Cyber Info Sharing Works but Barriers Remain – Implications for Incident Reporting?

A recent Report to Congress from the Office of Inspector General (OIG) of the Intelligence Community addresses barriers to information sharing that Congress sought to promote in landmark 2015 legislation. This report may have implications for ongoing work to develop new cyber incident reporting mandates, some of which have been directed by Congress, but most of which are being developed by agencies on their own.

The report, issued with OIGs of the U.S. Departments of Commerce, Defense (DoD), Energy, Homeland Security (DHS), Justice (DOJ), and the Treasury, evaluated the effectiveness of congressionally authorized cybersecurity information sharing. The report finds that sharing cyber threat indicators (CTI)s and defensive measures (DMs) under the Cybersecurity Information Sharing Act of 2015 (CISA2015) has been adequate but that barriers remain. CISA2015 was landmark legislation to enhance cybersecurity collaboration by fostering information sharing between government and private entities.

This report, and continued efforts to harmonize new agency efforts with that of DHS, could inform ongoing debates over proposed and forthcoming mandatory incident reporting, or it may be too late for it to influence key decisions. Incident reporting mandates in the last year have begun to move beyond CISA2015. We were involved in the passage of CISA2015, and have been engaged in reporting work at the state and federal level, some of which threatens to be duplicative or burdensome for covered entities. This blog post describes the report’s findings and suggests how it might influence reporting mandates that are emerging at multiple agencies.

What Is the Report?

The report assessed the sufficiency of policies and procedures for sharing by the private sector and within the federal government, proper information classification, security clearances for sharing information with the private sector, actions taken to share information, the degree to which information was relevant and meaningful, and barriers to sharing.

Overall, the OIG report found information sharing under CISA2015 to be “adequate.” The report also found the procedures to ensure the protection of privacy and civil liberties while sharing CTI and DM are adequate. However, remaining barriers to sharing are significant, which is the key takeaway from the report as it has implications for the implementations of the forthcoming Federal Acquisition Regulations (FAR) reporting mandates, as well as new incident reporting rules being developed by DHS’s Cybersecurity and Infrastructure Security Agency (CISA) under the Cybersecurity Information Sharing for Critical Infrastructure Act of 2022 (CIRCIA). A major question asked by regulated entities is what purposes will be served by new incident reporting mandates, and whether agencies can make meaningful use of information provided in such reports.

The Report Identifies Barriers to Sharing Information

The report assesses sharing by private entities with peers and government and the use and distribution of shared information by government recipients. As to the former, the report observes that private-sector sharing has been impacted by competitive and legal concerns in addition to concerns about a negative commercial impact and “regulatory consequences” that may follow cooperation with law enforcement.

And with respect to the other direction of sharing – federal to private sector – the report finds that federal entities continue to be reluctant to share CTIs provided to the government to wider distributions. Some agencies prefer to share only within the federal government, or only with the specific sector where they have clear authority, or they decline to share out of concerns with jeopardizing ongoing operations. Classification of information was another barrier to sharing in that “cross-domain sharing is not viable.” Many agencies do not have the capability to transition classified information to unclassified sharing and vice versa.

The most significant barriers identified in the report related to the DHS Automated Indicator Sharing (AIS) capability developed to satisfy the requirements under CISA2015 for real-time exchange of CTI and DM. AIS only shares “one all-inclusive feed,” which makes it difficult for recipients to sort through the information to identify what may be relevant. AIS data also lacks the context and information on timing necessary to determine relevancy. DHS identified the barrier of inconsistent vendor support for the sharing specifications AIS uses hampering the ability to incorporate CTI and DMs shared by others into AIS. Notably, the new proposed FAR rule on incident reporting requires submitting reports to AIS and the CIRCIA rules may do the same, so this finding is particularly notable for ongoing policy development.

On a positive note, the report did identify mitigations for barriers underway or planned. DOJ and Commerce are using automated tools to improve the quality of information shared through AIS. DHS introduced the AIS Scoring Framework to improve CTI and DM, which according to the DHS website, enables the submitter to provide (1) an opinion value based on corroboration with other sources, and (2) a confidence score in the correctness of information.

What Does the Report Suggest for Future Information Sharing and Reporting Mandates?

CIRCIA mandates incident reporting for critical infrastructure to the Cybersecurity and Infrastructure Security Agency under DHS. CISA is working on those rules. In some respects, CIRCIA reflects several key policies embodied in CISA2105, such as the explicit protection of proprietary information, protection from use of shared information for regulatory purposes, protection related to liability for sharing, and protection from disclosure under the Freedom of Information Act (FOIA). Both CIRCIA and CISA2015 protect individual privacy through the application of the Fair Information Practice Principles (FIPPs) and requiring the removal, prior to sharing, of information related to a specific individual unrelated to the threat.

In others respects, CIRCIA goes beyond CISA2015 in its demands for shared information, potentially increasing burdens substantially. For example, it requires cyber incident reporting to identify functions of affected information systems, networks, and devices; to provide a description of the unauthorized access, damage, or disruption; to identify categories of information accessed or acquired; and to describe the impact on operations including the reliable operation of critical infrastructure. The rules are being developed but envision mandatory sharing that is far broader than that encouraged by CISA2015.

In the development of CIRCIA, Congress did not examine or build on CISA2015’s successes or limits. This report, were it available as Congress drafted and considered CIRCIA, could have focused Congress on what worked and did not in CISA2015. Instead, Congress pressed ahead to create new mandates requiring the reporting of broader information. The congressionally required Cyber Incident Reporting Council Report on harmonization recognized that the most significant challenges are “varying definitions” of reportable information, “report content requirements” including differences in the degree of technical information requested, and "reporting mechanisms.” These challenges may present for CISA under CIRCIA the same barriers to information sharing identified under CISA2105 by the OIG report.

The report may be helpful to inform other reporting regimes. Other agencies are proceeding with new mandates that appear duplicative of or inconsistent with CISA2015, in that they do not prioritize protection of reporting entities, the confidentiality of information shared, or the preclusion of regulatory and enforcement consequences. For example, the Federal Communications Commission (FCC) has created new and expansive data breach reporting rules, which we described in a December Alert, that lack protections for the security of reported information including proprietary information. Likewise, the U.S. Securities and Exchange Commission (SEC) has adopted issued broad Cyber Incident Reporting Rules that will result in public disclosure of public companies’ cybersecurity incidents and practices, without protection and exposing them to regulatory and enforcement risks as well as litigation and potential revictimization by bad actors. Other agencies are adopting reporting mandates that seek far more information than was contemplated under CISA2105 and raise questions about what regulators can and will do with that information.

Policymakers may have benefited from the report’s examination of the utility and success of CISA2015, or of lessons learned from its limitations. This report suggests that several barriers remain that could impact the effectiveness of incident reporting and associated activities at many different federal agencies. Hopefully policymakers will review this report and consider how to ensure new incident reporting mandates are workable, useful, and not unduly burdensome.