In recent years, the Department of Homeland Security’s cybersecurity branch has taken major steps to improve the way it shares cyber threat intelligence (CTI) with private-sector companies and protecting the nation’s critical infrastructure.
This year, DHS’s Cybersecurity and Infrastructure Security Agency looks to make 2020 the “year of vulnerability management” for its federal agency partners and to further cement its role as the federal government’s cyber coordinator.
But even with these major projects in the works, Greg Wilshusen, the director of information security issues at the Government Accountability Office, said barriers still stand in the way of agencies sharing cyber threat information with each other and with their partners in the private sector.
But at the same time, he said DHS has come a long way in improving its cyber threat information sharing. When GAO surveyed owners and operators of national critical infrastructure only a few years ago, only about 28% of respondents said the federal government was providing actionable, timely and useful cyber threat intelligence.
“There’s a challenge in making sure that we get that information, or that they provide that information to DHS,” Wilshusen said in an interview.
But in a more recent survey from February 2017, GAO has found that respondents had expressed a more favorable opinion of CISA’s National Cybersecurity and Communications Integration Center (NCCIC), which has developed 43 types of products and services to help support the sharing of cyber threat intelligence.
“They’re much more favorably inclined and appreciate the products and services that DHS was offering in this respect,” Wilshusen said about those survey results. “So at least there’s been some progress going forward on the part of DHS.”
However, GAO’s work has also identified some of the challenges that DHS has had in terms of providing cyber threat intelligence to the private sector as well as other federal agencies.
“In some cases, some of these entities didn’t have the security clearances in which to receive some of the information that the government had that could be shared,” Wilshusen said.
In other cases, GAO raised concerns that the cyber threat intelligence that is shared is appropriately anonymized, so that sensitive information can’t be connected to specific individuals or entities.
But GAO has also seen some positive trends, including further clarification of the roles and responsibilities that the federal government and its partners have in collecting and sharing cyber threat intelligence.
Wilshusen said GAO has also seen improved communications and coordination between DHS and the intelligence community, which puts the federal government in a better position to share cyber threat intelligence with its partners.
Another recent trend that Wilshusen noted is an effort to speed up the overall process of sharing cyber threat intelligence.
“One of the problems in the past is that often the information that DHS might have provided out to entities through technical alerts was not necessarily very timely, and where other private-sector organizations may have already addressed some of the vulnerabilities and the threats, based upon information from some of the security contractors and providers out there,” he said.
As part of these positive trends, DHS has taken some early steps to automate the sharing of cyber threat information through systems like EINSTEIN to examine incoming network traffic and screen for cyber threats.
The success of these tools, Wilshusen said, has also led to a conversation about using artificial intelligence tools in the sharing the cyber threat intelligence.
“You have these advanced algorithms that can help cybersecurity professionals in a variety of ways, he said. “The key benefit is that it helps reduce the time and effort it takes to perform these different tasks, like identifying vulnerabilities and patching vulnerabilities — even detecting attacks and defending against active attacks,” Wilshusen said. “I think the automation of that and being able to use machine learning to an extent can help cybersecurity professionals.”
These AI and machine learning tools, he added, could serve as a force multiplier for cybersecurity professionals in terms of expanding their auditing and monitoring capabilities.
“There are often wide gaps in the implementations of their capability to view their entire network and the activity that’s actually occurring on their network,” Wilshusen said. “And the information that they do collect, it’s still often very voluminous, where they just don’t have the time or the expertise to actually look at that type of system activity and the audit logs or system logs … Usually, they’re only looking at that when an incident has occurred.”