Government, industry fall short in sharing cyber threat data

Auditors say expectations not being met when it comes to sharing information about threats to U.S. critical infrastructure

The government isn’t giving industry officials the timely and actionable information on cyber threats that they expect, nor is industry always meeting government expectations for sharing cyber threat data, according to the Government Accountability Office.

Just 27 percent of 56 industry representatives surveyed by GAO said the government was, to a great or moderate extent, giving them timely and actionable cyber threat information and alerts. Industry officials also reported a lack of access to classified information, a secure way to share that data, security clearances and a single central government source for cyber information, GAO said in a report released Aug. 16.

“Private-sector stakeholders are not consistently receiving their expected services from their federal partners because, in part, federal partners are restricted in the type of information that can be shared with the private sector and lack an understanding about each sector’s specific information requirements,” auditors concluded.

Government officials reported to GAO that industry is mostly meeting their expectations in several areas, although they said some improvements could be made. The extent to which industry is fulfilling government’s expectations varies by critical-infrastructure sector, auditors said. Some industry officials don't want to share their proprietary information with the federal government because of worries about public disclosure.

Officials working with the information technology sector reported the private sector was giving it only one of the 10 services that were expected, GAO said.

GAO focused its reporting on the banking and finance, communications, defense industrial base, energy, and IT sectors because of their reliance on cyber assets. The auditors analyzed reports and interviewed officials involved in those sectors.

Related stories

Critical Infrastructure central to cyber threat

FBI's Mueller urges companies to share info on cyber crime

The government has identified a total of 18 critical infrastructure sectors. Each sector has a council comprised of industry officials and a council that includes local, state and federal government officials. The councils are supposed to work together to bolster critical infrastructure protection.

The Homeland Security Department has issued the National Infrastructure Protection Plan (NIPP) as the framework for dealing with threats – including those that are cyber-based – to that infrastructure.

“Without improvements in meeting private- and public-sector expectations, the partnerships will remain less than optimal and there is a risk that owners of critical infrastructure will not have the appropriate information and mechanisms to thwart sophisticated cyberattacks that could have catastrophic effects on our nation’s cyber-reliant critical infrastructure,” GAO said.

GAO recommended that the White House cybersecurity coordinator and DHS use its findings to focus on cybersecurity information-sharing efforts and to bolster DHS’ new National Cybersecurity and Communications Integration Center.

The cybersecurity coordinator didn’t provide it with comments on the findings, GAO said. DHS agreed with the recommendations and described efforts under way to deal with them. DHS said it is integrating public- and private-sector partners into that new center.

Three senior Democrats on the House Homeland Security Committee, including Chairman Rep. Bennie Thompson (D-Miss.), said in a statement that the report shows that public- and private-sector cybersecurity efforts aren’t always on the same page.

“Given the growing nature of the threat, DHS and the private sector must commit to cooperative efforts to ensure the safety of our nation’s cyber infrastructure and security of the critical functions it provides,” he said.


About the Author

Ben Bain is a reporter for Federal Computer Week.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected