The Department of Commerce Office of the Inspector General (OIG) announced last month that it will be conducting a review of the department’s cyber threat data sharing capabilities, pursuant to the Cybersecurity Information Sharing Act of 2015 which set up structures for sharing threat data with government and private sector entities.
The main focuses of the report will be whether current data sharing policies are sufficient, if “cyber threat indicators and defensive measures are properly classified,” and whether the government is sharing threat indicators and defense strategies.
“We will assist in creating an interagency report on the actions taken by the executive branch of the Federal government to carry out this title during calendar years 2019–2020,” the memo says. “We plan to begin this work immediately.”
The result of the Commerce OIG’s review will be included in a wide-ranging report on broader government performance on cyber threat data sharing that will cover the 2019-20 period and will be issued by the Intelligence Community OIG in December 2021.
Other agencies contributing to the final report will include the departments of Defense, Energy, Homeland Security, Justice, and Treasury, along with the Office of the Director of National Intelligence.
The 2015 law envisioned seamless data sharing of cyber attack threats, but there has been a number of complaints since its passage about the speed and effectiveness of the data sharing process.
Improving cyber threat sharing capabilities is a goal that few have disagreed with, but which only becomes more vital a process in light of ever-more-sophisticated attacks, such as the continued fallout of the SolarWinds hack by Russian state actors.
“Cybersecurity threats … require a unique level of collaboration between the public and private sectors,” Microsoft President Brad Smith wrote in a Dec. 17 blog post that illustrates the value of intelligence sharing.
“Today’s technology infrastructure, from data centers to fiberoptic cables, is most often owned and operated by private companies,” Smith said. “These represent not only much of the infrastructure that needs to be secured but the surface area where new cyberattacks typically are first spotted. For this reason, effective cyber-defense requires not just a coalition of the world’s democracies, but a coalition with leading tech companies.”