IGs Ask: How Well Do Feds Share Cyber-Threat Info?

Just as reports of hackers accessing government systems were emerging, the Commerce Department’s inspector general office announced it would immediately begin assessing agencies’ information-sharing practices.

The office is required to create an interagency report on the most recent two-year period in collaboration with the inspectors general of the intelligence community and other appropriate federal agencies under the Cybersecurity Information Sharing Act of 2015, according to a Dec. 14 memo alerting Commerce’ chief information officer. 

Previous IG reports on information sharing under the 2015 law have focused on weak private-sector information sharing with the government or vice versa. But the statute also governs how well information is being disseminated within the federal government, and on that front, a key government contractor has already weighed in with a scathing review.

Amidst the ongoing hacking campaign that leveraged an intrusion into ubiquitous IT management company SolarWinds, Microsoft President Brad Smith said government departments are actively undermining information sharing across government agencies.

“One indicator of the current situation is reflected in the federal government’s insistence on restricting through its contracts our ability to let even one part of the federal government know what other part has been attacked,” Smith wrote in a Dec. 17 blog post. "Instead of encouraging a 'need to share,' this turns information sharing into a breach of contract." Microsoft declined to elaborate on the blog post.

Smith said Microsoft, which acknowledged “malicious binaries” from SolarWinds in its environment, notified 40 of its customers, including government agencies, that they were more specifically targeted than the 18,000 entities SolarWinds estimates downloaded a trojanized update. 

“We still lack a formal and cohesive national strategy for the sharing of cybersecurity threat intelligence between the public and private sectors,” Smith added. “While there need to be important safeguards to protect government secrets and private citizens’ privacy, the time has come for a more systemic and innovative approach to the sharing and analysis of threat intelligence with those best positioned to act.”

One idea, proposed by the Congressionally mandated Cyberspace Solarium Commission, is to establish a threat intelligence sharing  environment where public and private-sector entities in the Defense industrial base would be able to conduct “joint co-located analytics.” But the Information Technology Industry Council—which includes Microsoft—and other industry groups opposed inclusion of the measure in the just-passed National Defense Authorization Act. 

The industry groups said they support greater collaboration between the government and private sector, but that the provision, and others highlighting a need for companies to report incidents to the Department of Homeland Security were too broad. 

“Industry urges defense authorizers to ensure that any expanded or new authorities for network information, reporting, or access included as part of this or other legislation are narrowly focused on securing government systems and information,” the industry groups wrote in a letter to lawmakers. “Such authorities should not cover private sector commercial networks that are unrelated to the performance of defense or government contracts, must not harm or unnecessarily impede the global business operations of the wide range of companies that do business with the Department, and should safeguard proprietary information, equipment, and functionality of networks, while addressing liability and just cause concerns.”

The interagency report on information sharing is due in December. Participating IGs include those from the departments of Defense, Energy, Homeland Security, Justice and Treasury, in addition to Commerce and the Office of the Director of National Intelligence. 

They will be specifically looking for: 

• The sufficiency of policies and procedures related to sharing cyber threat indicators within the federal government.
• Whether cyber threat indicators have been properly classified, as well as an accounting of security clearance authorized for the purpose of sharing cyber threat indicators or defensive measures with the private sector.
• Actions taken to use and disseminate cyber threat indicators and defensive measures shared with the federal government.
• Specific aspects of cyber threat indicators and defensive measures shared with the federal government, including those related to DHS’ automated indicator sharing capability, unrelated sharing and privacy violations as well as the adequacy of steps to remediate those, and resulting prosecutions for harm caused by cyber threats. 
• Barriers affecting the sharing of cyber threat indicators or defensive measures.

Among other things, the industry says it wants greater liability protections in the case of lawsuits surrounding anti-competitive behavior, fraud and confidentiality agreements, in order to report more information about risky products and services to the government. A Democratic aide familiar with the NDAA negotiations told Nextgov privacy concerns are already addressed by liability protections in the 2015 information-sharing law.