CISA's Cyber Info-Sharing Program Didn't Always Deliver, Watchdog Says
The Cybersecurity and Infrastructure Security Agency is supposed to give more than 300 agencies and firms the info they need to fix vulnerabilities. That hasn't always happened, the DHS inspector general found.
The Cybersecurity and Infrastructure Security Agency failed to consistently provide adequate cyber threat indicators to participants in an information sharing program, according to a new report.
The Department of Homeland Security Office of Inspector General said CISA’s Automated Indicator Sharing (AIS) service, which provides over 300 partners with real-time unclassified cyber threat information and defensive measures, was not always providing participants with the information required to mitigate threats.
“Most of the cyber threat indicators did not contain enough contextual information to help decision makers take action,” the IG report said, attributing the issue to “limited AIS functionality, inadequate staffing and external factors.”
“Deficiencies in the quality of threat information shared among AIS participants may hinder the federal government’s ability to identify and mitigate potential cyber vulnerabilities and threats,” the report added.
CISA is tasked with providing situational awareness of emerging risks to the nation's critical infrastructure. The agency launched the AIS service in 2016 in response to The Cybersecurity Act of 2015, which established a voluntary threat information sharing process between the public and private sectors.
The report found that CISA updated guidance when necessary, properly classified cyber threat indicators, and accurately accounted for security clearance provisions in the private sector. However, the AIS community – which includes 52 federal agencies – was at times left without critical contextual information to take appropriate actions. Real-time contextual information like anomalies in network traffic, Internet Protocol addresses, domain names and hash files can help organizations better protect themselves from future cyber intrusions, the report noted, as in the case of the 2020 SolarWinds supply chain attack.
“Although CISA generally increased the number of AIS participants and number of cyber threat indicators shared and received, the quality of the cyber threat indicators was not adequate for participants to take necessary actions,” the report said.
The IG recommended CISA complete system upgrades and develop a formal reporting process featuring quality controls, in addition to hiring the necessary staff and encouraging compliance with information sharing agreements. CISA agreed with all four of the recommendations and said it had either fully resolved or was in the process of resolving each issue. The agency said it was building up contractual resources to better support information sharing initiatives and was anticipating a completion date of January 31, 2023.