Government information sharing efforts remain a mixed bag
The rollout of a new tool in 2017 has improved information sharing across the federal government, but other once promising programs are withering on the vine.
The rollout of a new tool in 2017 has improved information sharing across the federal government, but other once-promising programs are withering on the vine, according to an audit released Dec. 19.
An unclassified joint report by Inspectors General from the Office of the Director of National Intelligence and the Departments of Defense, Homeland Security, Justice, Commerce, Energy and Treasury found that sharing of cyber threat indicators and defensive measures has improved markedly over the last few years.
According to auditors, that's in part due to the deployment of a new tool -- the Intelligence Community Analysis and Signature Tool (ICOAST) -- that has helped to increase the dissemination of threat intelligence to thousands of analysts at the top-secret level. The tool draws from open source, email distributions, paid commercial sources and technical capabilities to facilitated more robust data around forensic indicators of compromise and malware signatures.
First deployed in 2017, the ICOAST tool has enabled cyber analysts to "more rapidly share high-quality cyber threat information and [fostered] analytic collaboration." The Intelligence Community Security Coordination Center, which developed the tool, also designs and oversees a yearly exercise dubbed "ICE STORM," which tests out cybersecurity information sharing capabilities between the Intelligence Community, DOD, law enforcement agencies and international partners. Efforts are currently underway to expand the tool's application at the secret and unclassified levels so it can be deployed on the federal government's numerous clouds, but ICSCC officials have said the project needs additional personnel and resources.
At the other end of the spectrum, auditors gave mostly tepid reviews for the Automated Indicator Sharing program run by DHS' Cybersecurity and Infrastructure Security Agency. Once viewed as a potential crown jewel of the federal government's information sharing efforts with the private sector, the program has suffered from lack of engagement with only half a dozen or so entities actually sharing data back with the government. That reality has largely stagnated efforts to improve the quality of the data produced by the program and build out more actionable information around ongoing cyber threats.
The program also suffers from uneven use and tracking across federal agencies. While Homeland Security, Justice, Energy and Treasury reported receiving hundreds of thousands of cyber threat indicators through AIS in 2017 and 2018, ODNI and six DOD component agencies did not use the program at all. Commerce and two other unnamed DOD components reported using the program to receive threat indicators over that same timeframe, but did not keep track of how often.
DHS announced plans earlier this year to give the program a facelift in hopes of boosting participation, but the joint report indicates that many of the same core barriers remain in place. To wit, while DHS has put out a number of general guidance documents, companies say they still don't have a good sense of what they're supposed to do with much of the information they get from the program. Too many technical indicators of dubious value and quality and a lack of context or guidance about their significance were also cited, while feedback gleaned from federal agencies also point to overclassification of threat data and integration problems between government software systems as key barriers to wider sharing efforts.
In September, a CISA official told FCW the agency was working to build more customized feeds for different audiences to cut down on the noise and introduce more human interaction into the automated program.
"It was originally intended to not have much human [presence] in the loop…but garbage-in garbage-out is always a risk there," said Jeanette Manfra, the outgoing assistant director for cybersecurity and communications. "So there will probably be less quantity and higher confidence and higher quality, because that's most of the feedback we've gotten. [We've heard] 'if it's coming from the government, we're happy to trust it, but we want to know that this is no kidding the most important stuff."