The challenge to preventing cyberattacks on U.S. critical infrastructure is to stay abreast of hackers’ “ever-changing and increasingly sophisticated tactics and techniques,” the Government Accountability Office (GAO) said in a new report.
While it's important to gather information about cyberattacks to better understand how they can occur and how to prevent them, it isn’t enough on its own, the report said.
“Cyber threats to the nation’s critical infrastructure sectors are significant," the GAO wrote. "As such, it is important that federal agencies and critical infrastructure owners and operators share cyber threat information.”
The GAO’s review examines:
- How federal agencies and critical infrastructure owners and operators share cyber threat information.
- Challenges to cyber threat information sharing and the extent to which federal agencies have taken action to address them.
What did the GAO Find?
The GAO reviewed documentation from 14 federal agencies, including the Cybersecurity and Infrastructure Agency (CISA), and seven non-federal entities with responsibility for sharing cyber threat information.
Here’s what the GAO discovered:
- Four agencies — the Department of Defense, the Department of Energy, CISA, and FBI — used more than half of the 11 sharing methods, and 10 agencies used fewer than half of the 11 sharing methods.
Number of methods agencies use to share information.
- Cyber threat briefings: 14 agencies
- Intrusion detection/prevention systems: 3 agencies
- Threat indicator sharing platforms: 1 agency
- Threat Information products: 14 agencies
- Malicious activity analysis: 2 agencies
- Exploited vulnerability catalog: 1 agency
- Incident reporting services: 7 agencies
- Incident response services: 2 agencies
- Information sharing and analysis centers: 9 agencies.
- Working groups and councils: 6 agencies.
- Federal cybersecurity collaboration centers: 3 agencies.
The agencies took two different approaches to using all 11 of the sharing methods, the GAO said.
- CISA and the FBI used a centralized approach to share information with each of the 16 critical infrastructure sectors.
- The other 12 remaining federal agencies shared sector-specific threat information, the GAO wrote.
The GAO report identified six challenges to cyber threat information sharing. At least one third of the 21 entities in GAO’s review (14 federal agencies and seven non-federal agencies) identified six challenges to effective sharing of threat information:
- Limited relationships: 8
- Limited funds and resources: 13
- Limited sharing of classified or sensitive information: 13
- Lack of timely sharing: 10
- Limited voluntary sharing: 9
- Lack of actionable information: 9
“Although 13 of the 14 federal agencies reported that they have taken initial actions to address these threat sharing challenges, all 14 agencies also acknowledged that these challenges have not been fully resolved for their sectors,” the GAO wrote.
Flaws in the White House Cyber Strategy?
In March and July 2023, the White House issued its National Cybersecurity Strategy and implementation plan to address the nation's cybersecurity challenges, including those pertaining to information sharing.
The implementation plan includes eight initiatives that, if effectively implemented, could help agencies make progress in addressing the cyber threat information sharing challenges.
Based on GAO's review, the While House's implementation plan has two major flaws:
- Does not identify outcome-oriented performance measures to assess the effectiveness of the steps taken under the eight information sharing initiatives described in the plan.
- Although the implementation plan calls for CISA to assess whether new or improved sharing methods are needed, it does not include an assessment of whether existing sharing methods should be retired in favor of centralized or sector-specific sharing approaches.
Finally, the GAO warned: “Until the [Office of the National Cyber Director] and CISA take steps to resolve these weaknesses, the longstanding cyber threat sharing challenges will likely continue to persist.”