A new report from the U.S. GAO detailed that policies and actions implemented under the Cybersecurity Information Sharing Act of 2015 have positively contributed to the sharing of cyber threat information between federal and nonfederal entities. Sharing such information can enhance awareness of the extent of current cyber threats and how to mitigate those threats. The agency highlighted the actions of seven agencies designated to implement the act, including the Departments of Homeland Security, Justice, Defense, Commerce, Energy, and the Treasury; and the Office of the Director of National Intelligence.
The watchdog observed that malicious cyberattacks on the federal government and the nation’s critical infrastructures, such as electricity and healthcare, are growing in number, impact, and sophistication and have led to significant disruptions. It also identified that ransomware attacks on the healthcare and public health sector have had severe consequences. However, cyber information sharing helped improve awareness of the scope of current cyber threats and the strategies needed to mitigate them.
Cyber incidents have led to the inability of hospitals to provide emergency care, putting patients’ lives at risk. Hospitals have also been forced to cancel urgent care surgeries, delaying critical procedures for patients in need. Radiology appointments have similarly been canceled, affecting diagnostic and treatment timelines. In addition to direct patient care impacts, ransomware attacks have caused widespread disruptions to hospital operations and services, further straining healthcare systems and staff. The data underscores the urgent need for strengthened cybersecurity measures across the sector.
The Cybersecurity Information Sharing Act of 2015, which sunsets on September 30, 2025, encourages the sharing of cyber threat indicators that provide information on malicious attempts to compromise a system and defensive measures taken against cyber threats. Sharing such information can enhance federal and nonfederal awareness of the extent and type of current cyber threats and attacks, and mitigation techniques to minimize their impact. The act also requires agencies to protect privacy and civil liberties by removing personally identifiable information from shared cyber threat indicators.
In 2023, GAO reported that all seven federal agencies developed government-wide policies, procedures, and guidelines to help federal and nonfederal entities receive and share cybersecurity information, as required by the act. “We also reported in 2018 that all seven agencies developed final guidelines related to privacy and civil liberties that govern how threat information is received, used, retained, and distributed to protect personally identifiable information.”
The ICIG reported in 2023 that federal agencies met the provisions of the act. For example, agencies properly classified all shared information; disseminated, shared, and received threat information and defensive measures in a timely and adequate manner; removed personally identifiable information before sharing information; and identified barriers that have hindered sharing such information.
Before the act, non-federal entities did not have a readily available method of sharing cyber threat information. However, the act led to the development of automated cyber information sharing tools for entities to share classified and unclassified threat information. As of 2023, agencies continue to use those tools and other reporting means such as email, written reports, websites, and face-to-face communication. The ICIG’s biennial reports from 2017, 2019, 2021, and 2023 described the estimated number of threat indicators and defensive measures shared over the years by five agencies using the unclassified automated cyber information sharing tool.
GAO reported that the act also requires that agencies report barriers to sharing cyber threat information. The ICIG has reported several long-standing barriers to sharing threat information and defensive measures. It also identified several barriers that hinder the effective sharing of cyber threat information among government agencies, based on a GAO analysis of Intelligence Community Inspector General reports.
Some non-federal entities are reluctant to share cyber threat information due to fears of legal repercussions or potential business penalties. This hesitance undermines broader information-sharing efforts across the public-private sector. Classification concerns also pose a significant challenge. Agencies are unable to transfer classified threat data to unclassified environments, and in some cases, staff lack the security clearances needed to handle such information.
Another issue involves the unclassified information sharing tool. Often, the data lacks essential context or includes duplicated indicators. Additionally, the tool is not easily searchable, forcing personnel to manually sift through large volumes of data. The absence of a policy requirement further weakens cyber information sharing. Many agencies simply do not share cyber threat information because there is no mandate to do so.
Furthermore, inconsistent file formats also disrupt the process. Federal threat indicator repositories struggle with compatibility issues when file formats do not align with the data systems used by receiving agencies. Finally, resource constraints complicate the situation. Without automation tools to scrub personally identifiable information, agencies must rely on technically trained staff to manually process the data. Misclassification of threat indicators further hampers the ability to filter and analyze relevant information efficiently.
GAO reported in 2023 on federal actions planned and underway to address some of these barriers. The Cybersecurity and Infrastructure Security Agency (CISA) and other related entities planned to make declassifying and disseminating unclassified elements of threat indicators contained within classified systems easier. CISA enhanced the unclassified cyber information sharing tool platform to address challenges with data quality and timeliness.
Lastly, the CISA planned to update guidance for connecting to the tool and streamline the onboarding process. CISA had agreements with 15 third-party threat intelligence companies to make the tool more accessible for agencies with technical challenges and minimize agency costs.
This week, the Foundation for Defense of Democracies (FDD) noted that consensus in Congress seems to be coalescing around a straight reauthorization. “That option provides the greatest likelihood of averting the crisis that would accompany the expiration of the law. While there are nearly 90 days left on the calendar before CISA 2015 expires, there are only 35 working days for Congress between now and the end of September. Lawmakers should act with haste.”
