Four years after the enactment of the Cybersecurity Information Sharing Act of 2015, a joint inspectors general survey of seven financial-sector agencies’ efforts to implement the law reflects significant irregularities in steps taken to share cyber threat indicators and defensive measures with their fellow federal agencies and non-federal entities.
The Office of the Chief Information Officer “does not have the resources, fiscal funds, or technical capabilities to implement a sharing of CTIs and DM program,” the National Credit Union Administration told the Council of Inspectors General on Financial Oversight in a Jan. 15 memo.
The CISA law promised to shield private-sector entities from liability if they shared such information through the Department of Homeland Security’s Automated Indicator Sharing system and required federal agencies to implement policies to likewise share information the government had access to with the private sector.
The idea was that this would lay the foundation for a stronger collective defense, but companies are still skittish, fearing the protections aren’t enough to shield them from regulators, and as the new survey shows, government entities are also constrained by the classification levels attached to threat information by intelligence agencies.
The survey of the financial sector agencies—which, in addition to the NCUA, included the Board of Governors of the Federal Reserve System, the Bureau of Consumer Financial Protection, the Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, the Federal Housing Finance Agency, and the Securities and Exchange Commission—gives insight into challenges the larger federal government might be facing, under pressure to share more of its information with private-sector partners.
“Intelligence providers should continue to weigh the need to highly classify actionable information as this ..
Support the originator by clicking the read the rest link below.
