Protecting critical infrastructure—like water and electricity—from cyberattacks is a national priority.
Federal agencies and critical infrastructure owners and operators must share information to tackle increasingly complex cyber threats. Long-standing challenges, such as security concerns and timeliness, make this harder. For example, representatives from a nonfederal partner recently told a Government Accountability Office (GAO) review that the Federal Bureau of Investigation (FBI) briefed them on a cyber threat about five months after it was identified.
The nation’s 16 critical infrastructure sectors rely on electronic systems to provide essential services such as electricity, communications, and financial services. Federal entities have key roles in helping to protect these sectors.
- The Office of the National Cyber Director (ONCD) is to advise the President on cybersecurity policy and strategy, and lead the coordination of implementation of the March 2023 National Cybersecurity Strategy.
- The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is to coordinate the overall federal effort to promote the security of the nation’s critical infrastructure, including the sharing of threat information.
- The FBI is to lead counterterrorism and counterintelligence investigations and related law enforcement activities across the critical infrastructure sectors and share related cyber threat information.
- CISA and 12 other agencies are sector risk management agencies responsible for providing specialized expertise for protecting the cybersecurity of their assigned sectors (e.g., Department of Energy and the energy sector), to include the sharing of sector-specific threat information.
The 14 federal agencies in GAO’s review—CISA, FBI, and the other 12 sector risk management agencies—reported relying on various methods, such as cyber threat briefings, to share cyber threat information with critical infrastructure owners and operators. Some agencies, notably the Department of Defense, the Department of Energy, CISA, and FBI, used more sharing methods than other agencies. GAO also found two different approaches to using the various sharing methods. Specifically, two agencies, CISA and FBI, used a centralized approach to share information with each of the 16 critical infrastructure sectors. The other 12 remaining federal agencies shared sector-specific threat information.
Six challenges to effective sharing of cyber threat information were identified by at least a third of the 21 entities in GAO’s review. These were limited relationships, limited funding and resources, limited sharing of sensitive or classified information, lack of timely sharing, limited voluntary sharing,and a lack of actionable information.
Although 13 of the 14 federal agencies reported that they have taken initial actions to address these threat sharing challenges, all 14 agencies also acknowledged that these challenges have not been fully resolved for their sectors. In March and July 2023, the White House issued its National Cybersecurity Strategy and accompanying implementation plan to articulate the administration’s plan for addressing the nation’s long-standing cybersecurity challenges—including those pertaining to information sharing. The implementation plan includes eight initiatives that, if effectively implemented, could help agencies make progress in addressing the cyber threat information sharing challenges. For example, the implementation plan includes an initiative focused on removing barriers to delivering cyber threat intelligence. GAO believes this initiative could help agencies make progress in addressing the challenge of limited sharing of classified or sensitive information.
GAO is recommending that the Office of the National Cyber Director (ONCD) identify outcome-oriented performance measures for the cyber threat information sharing initiatives included in the National Cybersecurity Strategy implementation plan. ONCD did not concur and explained that a lack of validated outcome based performance measures exist in the cybersecurity field to measure cybersecurity information sharing. It further noted that developing such measures would likely require years of work and research. As a result, the agency stated that it is premature to have the plan include outcome-oriented measures and that without additional research, ONCD would be severely limited in its ability to identify and develop effective metrics for the plan.
GAO is also calling for CISA to assess whether the current mix of centralized and sector-specific sharing methods used by agencies is the optimal approach to addressing cyber threat sharing challenges. DHS agreed with this recommendation and stated that CISA would coordinate with ONCD to evaluate the feasibility of conducting a comprehensive assessment of existing information sharing methods and determine a path forward, as appropriate.