A new report from the Government Accountability Office (GAO) finds that Federal agencies and critical infrastructure owners must do a better job at sharing information to tackle increasingly complex cyber threats.
However, long-standing challenges – such as security concerns and timeliness – make this harder, the watchdog said, and must be better addressed in the White House’s National Cybersecurity Strategy.
GAO’s Sept. 26 report identified six challenges to effective sharing of cyber threat information defined by at least one-third of the entities the watchdog surveyed. GAO called on the White House’s Office of the National Cyber Director (ONCD) and the Cybersecurity and Infrastructure Security Agency (CISA) to take steps to resolve these weaknesses.
The top weaknesses include lack of funding; security concerns; timeliness; limited voluntary sharing; lack of actionable information; and limited relationships.
The report notes that although almost all the Federal agencies said they have taken initial actions to address these threat sharing challenges, all the agencies also acknowledged that these challenges have not been fully resolved for their sectors.
“Cyber threats to the nation’s critical infrastructure sectors are significant. As such, it is important that federal agencies and critical infrastructure owners and operators share cyber threat information,” GAO wrote. “ONCD and CISA lead federal efforts to coordinate on national cyber policy and the security of critical infrastructure.”
This year, the White House issued its National Cybersecurity Strategy and accompanying implementation plan to articulate the administration’s plan for addressing the nation’s long-standing cybersecurity challenges – including those pertaining to information sharing. GAO notes that the implementation plan includes eight initiatives that could help agencies make progress in addressing the cyber threat information sharing challenges.
However, the watchdog chided ONCD for its implementation plan failing to identify outcome-oriented performance measures to assess the effectiveness of the steps taken under the eight information sharing initiatives described in the plan.
Additionally, the report notes that the long-standing nature of the cyber threat sharing challenges raises questions about whether the mix of centralized and sector-specific sharing approaches is optimal.
“Although the implementation plan calls for CISA to assess whether new or improved sharing methods are needed, it does not include an assessment of whether existing sharing methods should be retired in favor of centralized or sector-specific sharing approaches,” GAO said.
“Until the ONCD and CISA take steps to resolve these weaknesses, the long-standing cyber threat sharing challenges will likely continue to persist,” the report reads.
GAO is recommending that:
- ONCD identify outcome-oriented performance measures for the cyber threat information sharing initiatives included in the National Cybersecurity Strategy implementation plan; and
- CISA assess whether the current mix of centralized and sector-specific sharing methods used by agencies is the optimal approach to addressing cyber threat sharing challenges.
In commenting on a draft of the report, ONCD agreed with GAO’s finding on outcome-oriented measures but disagreed with the recommendation.
“While ONCD intends to develop performance measures for the Implementation Plan, in the cybersecurity field in general there remains a lack of validated, outcome-based performance measures for this kind of cybersecurity information sharing,” ONCD wrote. “Thus, ONCD believes it is premature for a recommendation to update the NCSIP to include them.”
“[D]eveloping outcome-based performance measures for cybersecurity effectiveness is a challenging topic that will likely require years of work and research to address,” the agency added.
CISA concurred with GAO’s recommendation.