Federal agencies have improved their cybersecurity information sharing in recent years but barriers remain, according to a recent joint report released by the Office of the Inspector General (OIG) of the Intelligence Community (IC).
The OIG published the report on Jan. 5, as mandated under the Cybersecurity Information Sharing Act of 2015. The law requires the inspectors general of the Departments of Commerce (DoC), Defense (DoD), Energy (DoE), Homeland Security (DHS), Justice (DoJ), Treasury, and the Office of the Director of National Intelligence (ODNI) to jointly report to Congress on their cyber information sharing progress every two years.
This report analyzes the most recent two-year period: calendar years 2021 and 2022. The OIG of the IC compiled the results in the report, which explains that the 2015 law promotes the voluntary sharing of cyber threat indicators (CTIs) and defensive measures (DMs) between Federal and non-Federal entities.
“The OIGs determined that CTI and DM sharing has improved over the past two years, and efforts are underway to expand accessibility to information,” the report says.
For example, in 2016, DHS’s Cybersecurity Infrastructure Security Agency (CISA) developed the Automated Indicator Sharing (AIS) capability, which allows the real-time exchange of unclassified CTI and DMs to participants of the AIS community.
In 2021 and 2022, the report found that Federal agencies continued to share cyber threat information through the AIS, which is offered at no cost to participants.
However, the report found that some agencies are not tracking how much shared cyber information they ingest. For instance, both DoC and DoD received CTIs and DMs from AIS, but did not track the information to quantify the number.
On the contrary, DHS received 9,888,099 CTIs in 2021 and 809,844 CTIs in 2022 through the AIS, and it shared the indicators with other Federal agencies.
The report highlights barriers to sharing cyber threat information, which include the Commerce Department’s concern that CISA is not sharing enough information with AIS participants. Nevertheless, DoC used third-party software to enhance AIS indicator quality with additional context.
Another barrier, offered up by the DoD and DoJ, included that some Federal agencies are hesitant to share cyber threat information because the sharing may jeopardize ongoing operations.
The report did not offer any recommendations, but it instead serves as a snapshot of cybersecurity information sharing throughout 2021 and 2022.
