The Office of Inspector General (OIG) says the Cybersecurity and Infrastructure Security Agency (CISA) made limited progress improving the overall quality of threat information but has addressed basic information sharing requirements.
OIG recently published the findings of its evaluation of CISA’s progress in meeting the Cybersecurity Act of 2015’s requirements for 2019 and 2020. The Act requires the Department of Homeland Security (DHS) to establish a capability and process for Federal entities to receive cyber threat information from non-Federal entities. The Act also requires Inspectors General from the Intelligence Community and appropriate agencies to submit a joint report to Congress every two years on Federal Government actions to share cyber threat information.
CISA created an Automated Indicator Sharing (AIS) capability in 2016 to enable the real-time exchange of unclassified cyber threat information and defensive measures to participants of the AIS community. According to OIG, in 2019 and 2020 CISA continued to leverage its AIS capability to share cyber threat information between the Federal Government and the private sector. During that time, CISA reportedly increased the number of Federal participants by more than 15 percent and increased the number of non-Federal participants by 13 percent. CISA asserted it increased the overall number of cyber threat indicators it shared and received by more than 162 percent, but it could not validate this number.
OIG determined that the quality of information shared with AIS participants was not always adequate to identify and mitigate cyber threats.
Cyber threat information must contain enough contextual information to help decision makers take necessary and appropriate actions. Examples of contextual information may include Internet Protocol addresses, domain names, hash files, uniform resource locators, or anomalies in the network traffic. Real-time access to the right information is critical for mitigating risks. For example, recent sharing of cyber threat indicators, including malware information, related to the 2021 SolarWinds Orion supply chain compromise led CISA and the Department of Defense Cyber National Mission Force to analyze these malware variants and trace their origins to prevent future cyber incidents.
However, according to the Federal and private sector entities the watchdog interviewed, most of the cyber threat indicators did not contain enough contextual information to help decision makers take action.
Stakeholders also stated that the cyber threat indicators contained false positives, which could mislead entities into believing threats were malicious, resulting in unnecessary upgrades or security protocols. Federal agency officials also noted that some participants had shared unconfirmed malware cyber threat indicator information, or low confidence threat information, that resulted in false positive alerting within security tools. Additionally, private sector feedback identified concerns with AIS customers experiencing false positives from the AIS Public Feed that were later identified as known good indicators. CISA responded to this by improving the AIS “allow list” to ensure that these types of known good indicators are not distributed via AIS to stakeholders. Federal stakeholders can filter out some of these lower confidence indicators while others may not have the expertise or intermediate tools to further refine relevant cyber threat indicators and defensive measures.
OIG has attributed the shortcomings to limited AIS functionality, inadequate staffing, and external factors – challenges it previously reported on in its Cybersecurity Act evaluation for 2017 and 2018.
Following this most recent evaluation, OIG made four recommendations to CISA: improve information quality by increasing participants’ sharing of cyber information, complete AIS upgrades, conduct additional training and outreach, and hire the staff needed to improve the AIS program’s operational effectiveness.
DHS concurred and reminded OIG that since the watchdog’s fieldwork CISA’s Cybersecurity Division launched its next generation version of AIS, AIS 2.0, which created the capability to apply a CISA opinion score to cyber threat indicators. This score provides an assessment of whether the information can be corroborated with other sources available to the entity submitting the opinion to AIS. AIS 2.0 addresses some of the weaknesses found in OIG’s evaluation. In addition, DHS told OIG that during the past 18 months, CISA’s Cybersecurity Division has added additional contractual resources to better support its efforts and is also assessing a longer-term approach to allocate resources to fully support the cyber risk mission area.