The Department of Homeland Security has made progress in its cyber threat information sharing requirements set forth by law but it needs to improve the quality of the information it shares through an automated portal for it to be more effective in reducing security risks, the department's watchdog agency says in a new report.
The information sharing portal, authorized as part of the Cybersecurity Act of 2015, is the Automated Information Sharing (AIS) program, and it allows federal, state and local governments and private sector entities to sign up and voluntarily exchange cyber threat indicators and allow the DHS Cybersecurity and Infrastructure Security Agency (CISA) to share unclassified cyber threat information with program participants. The AIS portal stood up in March 2016.
The DHS Office of Inspector General says in a report on Wednesday that "DHS has addressed the basic information sharing requirements" of the 2015 law, including the development of the AIS program, policies and procedures to share cyber threat information.
"However, CISA has made limited progress improving the overall quality of information it shares with AIS participants to effectively reduce cyber threats and protect against attacks," says the report, DHS Made Limited Progress to Improve Information Sharing under the Cybersecurity Act in Calendar Years 2017 and 2018 (OIG-20-74), which is dated Sept. 25. "CISA's lack of progress in improving the quality of information it shares can be attributed to a number of factors, such as limited numbers of AIS participants sharing cyber indicators with CISA, delays receiving cyber threat intelligence standards, and insufficient CISA office staff. To be more effective, CISA should hire the staff it needs to provide outreach, guidance, and training."
The quantity of cyber threat information being shared and the number of participants in the AIS program has increased but the data is lacing "enough detail to fully mitigate potential threats," the report says. "Specifically, the AIS indicators shared with participants did not contain actionable information, including sufficient context or background details to effectively protect federal and private networks. Examples of contextual information may include Internet Protocol addresses, domain names, or hash files, which may be helpful for determining the appropriate course of action to mitigate threats against networks."
Through 2018, CISA had 219 non-federal AIS participants and 33 federal participants, according to the report. That represents a 142 percent increase since 2016, although the increase in federal participation was only up 10 percent in that time to 33 entities, the report says.
During that same period, CISA increased the number of cyber threat indicators it shared with AIS participants by more than 2,000 percent to 4 million, the IG says.
The IG makes four recommendations, all agreed to by CISA, including developing an approach to get more private and public sector AIS participation, promoting the program through outreach, training and assistance, work on new standards for AIS upgrades, and prioritize the hiring of staff to improve the program.