President Obama's executive order on cybersecurity calls on intelligence agencies to share information about digital threats with the private sector, but the agencies may have trouble sharing information themselves.
Though the Department of Homeland Security has made progress in coordinating the federal response to cyber threats, "challenges remain" in the sharing of information among government agencies and owners of deemed vital to national security, the economy or public health, the Government Accountability Office concluded in a report published Thursday.
"Despite repeated emphasis on information sharing, analysis and warning capabilities, and coordination, the federal government continues to face challenges in effectively sharing threat and incident information with the private sector and in developing a timely analysis and warning capability," the GAO wrote.
The directive that President Obama signed Tuesday gives the Attorney General, the Secretary of Homeland Security and the Director of National Intelligence four months to establish a process for disseminating classified reports of cyber threats to financial services firms, electrical grids and other owners of critical infrastructure.
The GAO notes that Homeland Security has taken steps to facilitate information sharing, including two years ago forming the National Cybersecurity Communications and Integration Center, which serves as a focal point for sharing information among federal agencies, state and local governments, and the private sector. As of May, 16 organizations were participating in the center, according to GAO.
The report also notes that Homeland Security has established a program that aims to facilitate exchanges of information between its Financial Services Information Sharing and Analysis Center, information technology providers and communications firms. To date, the program has facilitated the sharing of information about 11,000 indicators of cyber threats and roughly 400 indicators of threat activity and analysis bulletins, the GAO cites the Department of Homeland Security as saying.
Still, the GAO found that Homeland Security faces roadblocks in its efforts to improve information sharing. Despite a directive that summary intelligence information should be shared with private sector partners, Homeland Security lacks the authority to declassify information it receives from other entities or to release information that may hinder another agency's investigation, the GAO says.
The GAO points to reports by Homeland Security inspectors general who have observed that federal agencies lack an integrated system for sharing information about cyber threats and cannot communicate easily across systems, and that varying policies for classifying information worldwide have hindered collaboration with foreign governments.
The GAO also cites an official with Homeland Security, who told the GAO that obstacles to sharing information stem from its lack of authority over agencies' practices for sharing information and companies' cybersecurity efforts, and that agencies and companies have been unable at times to identify the benefit of reporting such information. In a survey of federal agencies by the GAO, 7 out of 10 agency chief information officers said the most effective way to improve information sharing would be to streamline the process for declassifying information and making it available to stakeholders.
"That's not to say DHS has not been working on these things, they have," Gregory Wilshusen, a co-author of the GAO report, told American Banker. "One of the barriers to sharing is getting security clearances out to the appropriate people. That's been an ongoing issue with facilitating collaboration between the private sector and the federal government — making sure that individuals in the private sector are able to receive classified information."
The concern can present logistical snags for companies that want to receive information about threats. Wilshusen says that someone at a company who has a security clearance may be unable to share the information with colleagues.
The Department of Homeland Security did not respond immediately to a request for comment.
Though the GAO recommends that the White House develop a federal cybersecurity strategy that lays out a plan for making major improvements in areas that have been unaddressed, the agency notes the President has said he agrees more needs to be done to develop a comprehensive blueprint.
According to Wilshusen, the White House's assigning responsibility to particular departments may help. "Giving specific responsibilities to specific individuals was one thing with the executive order that was very positive and supports some of the challenges they've faced," Wilshusen said.