IG Says DHS Can Improve Cyber Threat Information Sharing

The Cybersecurity Information Sharing Act (CISA) that passed in 2015 directed DHS to establish a voluntary process for sharing cyber threat information between federal and private sector entities. In a newly released report, the DHS Office of Inspector General (OIG) found that while DHS has established a process for sharing cyber threat information between the federal government and the private sector, several improvements are still needed.

In the nearly two years since CISA passed, DHS has developed some capability to share cyber threat information and defensive measures among the various federal, non-federal and private sector organizations. One key element in this capability has been DHS’s implementation of the Automated Indicator Sharing (AIS) program and supporting systems.

Despite progress on several fronts, the IG recommends that NPPD address the following needs in order to support further improvement in its information sharing capability.

Need for quality, not just quantity, of shared cyber threat information

The review noted that the National Protection and Programs Directorate (NPPD) emphasizes timeliness, speed, and volume of cyber information sharing, but that current DHS systems do not provide the quality, contextual data needed to effectively defend against threats. The AIS cyber threat feed is produced through an automated process, with pre-determined data fields, so the information may not provide sufficient details to be actionable. Given AIS’ limitations, federal and private sector entities rely on other systems or participate in other DHS information sharing programs to obtain quality cyber threat data. According to an NPPD official, DHS plans to implement the next version of AIS, which could provide more quality information, by the fourth quarter of 2018.

Need for cross-domain capabilities and automated tools

The IG notes that the National Cybersecurity and Communications Integration Center (NCCIC) does not have an effective cross-domain solution for sharing unclassified and classified cyber threat indicators and defensive measures with federal entities and the private sector. The NCCIC relies on separate unclassified and classified databases which are hosted separately and are not linked to each other for information sharing purposes. With no automated capability to process information from the classified repository to the unclassified database, analysts are unable to compile a complete situational awareness of a potential threats. Further, the NCCIC also lacks automated tools needed to query multiple sources to analyze, synthesize and share information in a timely fashion.

The IG concluded that by acquiring a cross-domain solution, DHS can provide more detailed cyber information, improve the quality and usefulness of cyber threat reports, and correlate cyber threat indicators and defensive measures across its unclassified and classified environments. Additional automated analytical tools, data standards, and quality controls across NCCIC cyber threat databases would also help streamline vetting processes and ensure uniformity in data format.

Need for better outreach to federal and private entities

The audit found that DHS can enhance its outreach to increase participation and usefulness of the AIS program among participant stakeholders. While the NCCIC and DHS’s Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR) division were conducting outreach such as briefings and industry-sponsored events, efforts were inconsistent and DHS faced challenges in overcoming technical, resource, training, or cultural obstacles to AIS participation among both federal and private sector organizations. The IG concluded that through enhanced AIS outreach, DHS can increase awareness and participation in AIS services, including increased bi-directional cyber threat indicator sharing across federal and private sector entities to improve the cyber posture across domains.

Need for improved security controls for systems used for cyber information sharing

In addition to assessing DHS’s implementation of the Cybersecurity Act and identifying related challenges, the IG found that NPPD can improve security controls for the unclassified and classified systems it uses to process and share cyber threat information. Specifically, auditors found that NPPD had not implemented all required configuration settings and not applied security patches in a timely manner on workstations and servers deployed in the related Mission Operating Environment (MOE), both classified and unclassified, posing risks to the confidentiality, integrity, and availability of these systems, as well as the sensitive information that these systems store and process.