The Pentagon has not fully implemented a 2015 law aimed at improving how agencies share cyberthreat indicators and defensive measures, according to an inspector general’s report released Nov. 13.
The Cybersecurity and Information Sharing Act, or CISA, has not been fully implemented because the Pentagon’s chief information officer did not establish a policy to follow the new rule, the report said.
“As a result, the DoD limited its ability to gain a more complete understanding of cybersecurity threats,” the report read.
In “DoD Actions to Implement the Cybersecurity Information Sharing Act of 2015 Requirements,” the Inspector General said that none of the four DoD Components, which include the National Security Agency, the Defense Information Systems Agency, the Pentagon’s Cybercrime Center, and U.S. Cyber Command, "implemented all of the CISA requirements.”
In 2015, CISA was enacted to share cybersecurity threats between government agencies and with the private sector and the report covered March 2017 through September 2018.
During that time, DISA and Cyber Command did not have “agency-level policies and procedures for sharing cyber threat indicators and defensive measures with Federal and non-Federal entities,” the report said. The Pentagon’s Cyber Crime Center did not verify that all individuals it shared threats with had an active security clearance. Violations of the CISA law by the NSA were struck from the unclassified version of the report and not released.
As a result of the failure, the report said the Pentagon “did not fully leverage the collective knowledge and capabilities of sharing entities, or disseminate internally generated cyber threat indicators and defensive measures.”
“This is critical because cyberattackers continually adapt their tactics, techniques, and procedures to evade detection, circumvent security controls, and exploit new vulnerabilities,” inspectors wrote.
Attempts to reach the office of the Pentagon’s top IT official, the department’s chief information officer, were unsuccessful. It is not immediately clear if the Department’s CIO, Dana Deasy, appointed in April, has drawn up a strategy to implement the CISA requirements, but Pentagon officials have publicly spoken about the importance of information sharing.
Threat sharing with the Department of Homeland Security and private groups is part of the Pentagon’s plan to protect the U.S. from cyberattacks, Ed Wilson, the deputy assistant secretary of defense for cyber policy said Nov. 13 during an event hosted by the Foundation for the Defense of Democracies. Wilson said he had not yet seen the watchdog report.
Information sharing is also part of the Pentagon’s new cyber strategy. The department pledged to “streamline our public-private information-sharing mechanisms” in order to strengthen critical infrastructure sectors.
However there have been questions about the usefulness of some threat sharing programs.
Six companies are sharing cyberthreats with government, Chris Krebs, an undersecretary at the Department of Homeland Security, told reporters July 31.
“We have to establish a value proposition for an organization to share into the system,” Krebs said. Information about the number of companies sharing cyberthreats with the government was first reported by NextGov.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.