More work remains to be done to improve the sharing and coordination of IT security data held individually by the private and public sectors, according to the U.S. Government Accountability Office (GAO), the federal government's nonpartisan agency that reviews programs and initiatives.
In July, the GAO released a report titled Critical Infrastructure Protection: Key Private and Public Cyber Expectations Need to Be Consistently Addressed. The key finding was that the public and private sectors need to share data more openly with each other to improve the nation's cyber-security.
The GAO interviewed and surveyed IT security officials and analyzed documents to determine what public- and private-sector groups expected from each other and whether or not those expectations were being met. And apparently the effort hasn't always been made with enough passion on either side.
Government Sometimes Reluctant to Share
The GAO found that the government is reluctant to share not just classified information with corporate America, but also unclassified data. "Sometimes it's not even classified information. Sometimes it's still deemed sensitive, and there's still a reluctance to get that information out," said David Powner, director of IT management issues at the GAO.
Fifty-six private-sector representatives were surveyed to discern what services they expected from government in different areas, and 98 percent of them expected timely and actionable cyber-threat information from federal partners. Ninety-six percent expected timely and actionable alerts, and 87 percent expected access to classified or sensitive government information.
Yet only 27 percent of respondents reported actually receiving timely and actionable cyber-threat information; 27 percent reported receiving timely and actionable cyber-alerts; and 16 percent reported receiving access to classified or sensitive government information.
One stumbling block is that not all federal agencies have the same protocols to follow when it comes to releasing sensitive information.
"There's some information that the government has a hard time sharing because folks on the other end don't necessarily clear it at the appropriate levels, and that's something that continues to be a challenge in this area," Powner said.
Private Sector Hoards IT Data Too
But the government has some expectations from private partners as well. The report divided them into five categories: the defense industrial base (DIB), banking and finance, communications, energy and IT. All of them indicated a great or moderate expectation from the private sector to execute on best practices and recommendations. They also expected companies to provide both timely and actionable cyber-threat information and the appropriate staff and resources -- both to a great or moderate degree.
Many of the government expectations were being met, according to the GAO, but some improvements could be made. The IT sector received little or no commitment from the private sector to execute best practice plans and recommendations, and only some timely and actionable cyber-threat information. The DIB, energy and IT sectors only received some appropriate staff and resources.
"The private sector at times is reluctant to share because they don't want public disclosure, especially if their company is named as part of the incident," Powner said. Bad press can be bad for business. "This public disclosure could affect stock price and market share, and that's still a big issue."
Many companies probably don't want to share sensitive, proprietary information that could expose their competitive advantage. This means that companies have their reasons for holding back sometimes, just like government agencies do.
"So we have a two-way information sharing stream that needs to work to really protect our critical infrastructures in the right way, and we need improvement going both directions," Powner said.
Some IT Security Collaboration Under Way
The report makes note of existing legislation that fosters public-private collaboration, like 1998's