Government, industry fall short in sharing cyber threat data

Auditors say expectations not being met when it comes to sharing information about threats to U.S. critical infrastructure

The government isn’t giving industry officials the timely and actionable information on cyber threats that they expect, nor is industry always meeting government expectations for sharing cyber threat data, according to the Government Accountability Office.

Just 27 percent of 56 industry representatives surveyed by GAO said the government was, to a great or moderate extent, giving them timely and actionable cyber threat information and alerts. Industry officials also reported a lack of access to classified information, a secure way to share that data, security clearances and a single central government source for cyber information, GAO said in a report released Aug. 16.

“Private-sector stakeholders are not consistently receiving their expected services from their federal partners because, in part, federal partners are restricted in the type of information that can be shared with the private sector and lack an understanding about each sector’s specific information requirements,” auditors concluded.

Government officials reported to GAO that industry is mostly meeting their expectations in several areas, although they said some improvements could be made. The extent to which industry is fulfilling government’s expectations varies by critical-infrastructure sector, auditors said. Some industry officials don't want to share their proprietary information with the federal government because of worries about public disclosure.

Officials working with the information technology sector reported the private sector was giving it only one of the 10 services that were expected, GAO said.

GAO focused its reporting on the banking and finance, communications, defense industrial base, energy, and IT sectors because of their reliance on cyber assets. The auditors analyzed reports and interviewed officials involved in those sectors.


Related stories

Critical Infrastructure central to cyber threat

FBI's Mueller urges companies to share info on cyber crime


The government has identified a total of 18 critical infrastructure sectors. Each sector has a council comprised of industry officials and a council that includes local, state and federal government officials. The councils are supposed to work together to bolster critical infrastructure protection.

The Homeland Security Department has issued the National Infrastructure Protection Plan (NIPP) as the framework for dealing with threats – including those that are cyber-based – to that infrastructure.

“Without improvements in meeting private- and public-sector expectations, the partnerships will remain less than optimal and there is a risk that owners of critical infrastructure will not have the appropriate information and mechanisms to thwart sophisticated cyberattacks that could have catastrophic effects on our nation’s cyber-reliant critical infrastructure,” GAO said.

GAO recommended that the White House cybersecurity coordinator and DHS use its findings to focus on cybersecurity information-sharing efforts and to bolster DHS’ new National Cybersecurity and Communications Integration Center.

The cybersecurity coordinator didn’t provide it with comments on the findings, GAO said. DHS agreed with the recommendations and described efforts under way to deal with them. DHS said it is integrating public- and private-sector partners into that new center.

Three senior Democrats on the House Homeland Security Committee, including Chairman Rep. Bennie Thompson (D-Miss.), said in a statement that the report shows that public- and private-sector cybersecurity efforts aren’t always on the same page.

“Given the growing nature of the threat, DHS and the private sector must commit to cooperative efforts to ensure the safety of our nation’s cyber infrastructure and security of the critical functions it provides,” he said.

 

About the Author

Ben Bain is a reporter for Federal Computer Week.

Reader Comments

Fri, Aug 20, 2010 Orr AK

Doesn't surprise me. Part of the problem has got to be understaffing at the government level. I and several others in our area working in critical infrastructure areas even tried to join Infragard but the only thing we've been told is the FBI agent in charge is too overworked to get to any new applications and is probably not going to any time soon. Sad considering the interest and desire for better communication is present but the lack of resources and support is not.

Fri, Aug 20, 2010 Wayne Anderson Brighton, CO

My first thought when reading this article (and the GAO report) was "Study finds People more likely to slip on wet floor". Anyone who has dealt with the government in this capacity is well aware of the extreme limitations on the flow of information in formats shared with private businesses. The format of such reports should be revisited to ensure that the rush to ensure privacy does not obviate completely the value of the report. No one is asking for detailed information on the target infrastructure or even the name of the affected party however the attack methodology discussion should be amplified in terms of both volume and detail to provide the most criical information for other parties to use the information.

Wed, Aug 18, 2010 Jeffrey A. Williams Frisco Texas

I somewhat agree with the consideration as to the reasons threat information is not shared given in this report. However the most significant reason I personally know of as a IT security professional as to why threat information is not shared better or more openly is simply because the reporting processes that the government have on their websites are simply too difficult to use and the fact that most of these web sites no longer provide direct E-mail address by which such information can be alternitively more easily shared.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above