The 'two-way information sharing stream' for cyber-security data between the private and public sectors needs work, according to the Government Accountability Office's director of IT management issues.
More work remains to be done to improve the sharing and coordination of IT security data held individually by the private and public sectors, according to the U.S. Government Accountability Office (GAO), the federal government's nonpartisan agency that reviews programs and initiatives.
In July, the GAO released a report titled Critical Infrastructure Protection: Key Private and Public Cyber Expectations Need to Be Consistently Addressed. The key finding was that the public and private sectors need to share data more openly with each other to improve the nation's cyber-security.
The GAO interviewed and surveyed IT security officials and analyzed documents to determine what public- and private-sector groups expected from each other and whether or not those expectations were being met. And apparently the effort hasn't always been made with enough passion on either side.
The GAO found that the government is reluctant to share not just classified information with corporate America, but also unclassified data. "Sometimes it's not even classified information. Sometimes it's still deemed sensitive, and there's still a reluctance to get that information out," said David Powner, director of IT management issues at the GAO.
Fifty-six private-sector representatives were surveyed to discern what services they expected from government in different areas, and 98 percent of them expected timely and actionable cyber-threat information from federal partners. Ninety-six percent expected timely and actionable alerts, and 87 percent expected access to classified or sensitive government information.
Yet only 27 percent of respondents reported actually receiving timely and actionable cyber-threat information; 27 percent reported receiving timely and actionable cyber-alerts; and 16 percent reported receiving access to classified or sensitive government information.
One stumbling block is that not all federal agencies have the same protocols to follow when it comes to releasing sensitive information.
"There's some information that the government has a hard time sharing because folks on the other end don't necessarily clear it at the appropriate levels, and that's something that continues to be a challenge in this area," Powner said.
But the government has some expectations from private partners as well. The report divided them into five categories: the defense industrial base (DIB), banking and finance, communications, energy and IT. All of them indicated a great or moderate expectation from the private sector to execute on best practices and recommendations. They also expected companies to provide both timely and actionable cyber-threat information and the appropriate staff and resources -- both to a great or moderate degree.
Many of the government expectations were being met, according to the GAO, but some improvements could be made. The IT sector received little or no commitment from the private sector to execute best practice plans and recommendations, and only some timely and actionable cyber-threat information. The DIB, energy and IT sectors only received some appropriate staff and resources.
"The private sector at times is reluctant to share because they don't want public disclosure, especially if their company is named as part of the incident," Powner said. Bad press can be bad for business. "This public disclosure could affect stock price and market share, and that's still a big issue."
Many companies probably don't want to share sensitive, proprietary information that could expose their competitive advantage. This means that companies have their reasons for holding back sometimes, just like government agencies do.
"So we have a two-way information sharing stream that needs to work to really protect our critical infrastructures in the right way, and we need improvement going both directions," Powner said.
The report makes note of existing legislation that fosters public-private collaboration, like 1998's
Presidential Decision Directive 63 and 2002's Homeland Security Act, which created the U.S. Department of Homeland Security (DHS). Both put in the groundwork for coordinating councils that facilitate information sharing between sectors. But sometimes there's still confusion with so many government departments at different levels, even though both the DHS and U.S. Department of Defense have started pilot programs to facilitate sharing. This complexity continues to confuse the private sector, which wants an authoritative go-to entity for IT security within the government, Powner said.
The DHS created the National Cybersecurity and Communications Integration Center in October 2009, comprising the National Coordinating Center for Telecommunications and U.S. Computer Emergency Readiness Team. Its purpose is to be a central location for disparate government and corporate entities to coordinate sharing efforts to respond to cyber-attacks. It's a fairly recent creation, and more work could be done.
"To get to a single organization is tough because this is complicated, and there are some agencies that have unique knowledge, but there is a desire to build some credibility and authority where you have a single source," Powner said. "The private sector would say, 'That's the go-to organization that I can go to and get answers when there's an incident.'"