OCR of the Document

View the Document >>

Office of Inspector General, Department of Homeland Security, Review of the Department of Homeland Security's Capability to Share Cyber Threat Information (Redacted), September 2011, Unclassified.

Department of Homeland Security Office of Inspector General Review of the Department of Homeland Security’s Capability to Share Cyber Threat Information Redacted OIG-11-117 September 2011 Office of Inspector General U S Department of Homeland Security Washington DC 20528 September 29 2011 Preface The Department of Homeland Security DHS Office of Inspector General OIG was established by the Homeland Security Act of 2002 Public Law 107-296 by amendment to the Inspector General Act of 1978 This is one of a series of audit inspection and special reports prepared as part of our oversight responsibilities to promote economy efficiency and effectiveness within the Department This report addresses the strengths and weaknesses of the Department’s capability to share cyber threat information among its federal state local and tribal governments and private sector partners It is based on direct observations and analyses of applicable documents We obtained additional supporting documentation through interviewing personnel from selected federal agencies and companies in the private sector The recommendations herein have been developed to the best knowledge available to our office and have been discussed in draft with those responsible for implementation We trust this report will result in more effective efficient and economical operations We express our appreciation to all of those who contributed to the preparation of this report Charles K Edwards Acting Inspector General Table of Contents Abbreviations Executive Summary 1 Background 2 Results of Audit 4 Actions Taken To Share Cyber Threat Information 4 Description of How Cyber Threat Information Is Shared Among Federal Agencies and the Private Sector 5 Mechanisms Used To Disseminate Classi ed Cyber Threat Information 12 Effectiveness of Sharing and Distributing Cyber Threat Information Among Key Stakeholders 13 Recommendations 23 Management Comments and OIG Analysis 23 Enforcement Authority 25 Recommendation 26 Management Comments and OIG Analysis 26 Appendices Appendix A Purpose Scope and Methodology 27 Appendix B Management Comments to the Draft Report 28 Appendix C Operational Partners 36 Appendix D Maj or Contributors to this Report 37 Appendix E Report Distribution 38 Abbreviations CYBERCOM United States Cyber Command DCAR Department Agency Cybersecurity Activity Reports Department of Defense DHS Department of Homeland Security FBI Federal Bureau of Investigation GFIRST Government Forum of Incident Response and Security Team HSDN Homeland Secure Data Network Of ce of Intelligence and Analysis ISAC Information Sharing and Analysis Center IT information technology JACKE Joint Agency Cyber Knowledge Exchange JWICS Joint Worldwide Intelligence Communications System MOA Memorandum of Agreement NASDAQ NCCIC NCSD NPPD NSA NTOC OCIO OIG RSA US-CERT National Association of Securities Dealers Automated Quotations National Cybersecurity and Communications Integration Center National Cyber Security Division National Protection and Programs Directorate National Security Agency Central Security Service National Threat Operation Center Of ce of the Chief Information Of cer Of ce of Inspector General Rivest Shamir and Adleman Secret Internet Protocol Router Network United States Computer Emergency Readiness Team OIG Department of Homeland Security O ice of Inspector General Executive Summary We audited the Department of Homeland Security s DHS capability to share cyber threat information as required by the Intelligence Authorization Act for Fiscal Year 2010 This act requires the Inspectors General of DHS and the Intelligence Community to report to Congress on 1 how cyber threat information is being shared among federal agencies and the private sector 2 the mechanisms used to share classi ed cyber threat information 3 an assessment of the effectiveness of sharing and distributing cyber threat information and 4 any other matters that may inform the Congress or the President regarding the effectiveness of cybersecurity programs Our audit focused on collaboration efforts to share and distribute cyber threat information with federal civilian agencies and its private sector partners The Of ce of the Director of National Intelligence Of ce of Inspector General OIG focused its efforts on the Intelligence Community and the military branches The results of its review will be provided in a separate classi ed report DHS has taken actions to create an environment to promote cyber threat information sharing in support of its mission However DHS can further improve its cyber threat information sharing by strengthening its public-private partnership to ensure better communication with government and sector coordinating councils and the private sector s Information Sharing and Analysis Centers Also DHS must delineate the roles and responsibilities between the National Cybersecurity and Communications Integration Center and the United States Computer Emergency Readiness Team to avoid confusion among federal agencies and the private sector We are making three recommendations to the Department The Of ce of Intelligence and Analysis and the National Protection and Programs Directorate concurred with our recommendations and have already begun to take actions to implement them The Department s responses are summarized and evaluated in the body of this report and included in their entirety as appendix B Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 1 Background The Intelligence Authorization Act for Fiscal Year 2010 requires the Inspectors General of DHS and the Intelligence Community to report to Congress regarding the status of sharing cyber threat information The report should include the following A description of how cyber threat intelligence information including classi ed information is being shared among the agencies and departments of the United States and with the private sector 0 A description of the mechanisms by which classi ed cyber threat information is distributed 0 An assessment of the effectiveness of cyber threat information sharing and distribution and 0 Any other matters identi ed by the Inspector General that would help to fully inform Congress or the President regarding the effectiveness of cybersecurity programs DHS is responsible for securing cyberspace and critical infrastructure under Homeland Security Presidential Directive 7 Speci cally DHS is responsible for 1 developing a comprehensive national plan for critical infrastructure protection 2 developing and enhancing national cyber analysis and warning capabilities 3 providing and coordinating incident response and recovery planning including conducting incident response exercises 4 identifying assessing and supporting efforts to reduce cyber threats and vulnerabilities including those associated with infrastructure control systems and 5 strengthening international cyberspace security As such DHS is the cybersecurity lead for federal civilian agencies and it partners with the private sector to develop security capabilities Its goals are to create a safe secure and resilient cyber environment and to promote awareness of cybersecurity To ll ll its mission DHS partners with other federal agencies the Intelligence Community and the private sector to collaborate and share cyber threat intelligence information Within DHS the US Computer Emergency Readiness Team US-CERT serves as the principal cyber watch warning and analysis center for federal civilian agencies and an operational point of coordination with the Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 2 private sector for cyber incident response 1 Speci cally US-CERT is responsible for protecting the nation s critical information systems infrastructure by coordinating the defense against and response to cyber attacks See gure 1 for the Cybersecurity and Communications organizational chart Secretary of Homeland Security Under Secretary of Hatio nal Protectio 8 Prog runs Directorate Assistant Secretary Cybersecurity 8 Cornmunicatio ns Hatio nal Cybersecurity And Commu nication lnteg ration Center Directorofthe Directorofthe Directorofthe National t Iceof Communications am er Emergency System my Divis'iu CorrInunicatio ns Direct Director Director Global Cyl Ier Critical Infrastructure RT Security Cyl Ier Protection 8 i recto i recto Hetworlr Security Federal Hetworlr Deployment Security Dperati DHS Management Awareness Figure 1 Cybersecurity and Communications Organizational Chart Source US-CERT In October 2009 DHS established the National Cybersecurity and Communications Integration Center N CCIC as the Department s integrated cybersecurity and communications operations center NCCIC is the focal point of coordination for national response efforts to signi cant cyber incidents Speci cally NCCIC combines two of operational units US-CERT the operational arm of the NCSD leads a public-private partnership to protect and defend the nation s cyber infrastructure and the National Coordinating Center for Telecommunications which is the operational arm of the National Communications Systems US-CERT uses NCCIC as the mechanism to brief the Department s senior leadership on signi cant cybersecurity events Additionally NCCIC includes two other components the Industrial Control Systems Cyber Emergency Response Team which focuses on control systems security and the Of ce of 1 US-CERT is a branch of the National Cyber Security Division N CSD within the National Protection and Programs Directorate s NPPD Of ce of Cybersecurity and Communications Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 3 Intelligence and Analysis Cyber Threat Branch Although each organizational component ful lls separate operating missions mission includes coordinating the operations of these components and developing a common operating picture See gure 2 for DHS organizations that have a major presence on the NCCIC oor Ell-It If I I I mum-phi lulu-m Input Huh-aim tuna-I Furri- mum Figure 2 Organizational Components Source OIG is tasked with strengthening the Department's and other federal agencies abilities to perform their homeland security functions by accessing integrating analyzing and sharing timely and relevant intelligence and information while protecting the privacy and civil liberties of citizens One of missions is to deliver analytical intelligence products to its customers that address threats posed by all threat actors to the nation s critical infrastructure also develops policies that address and mitigate cybersecurity threats Results of Audit Actions Taken To Share Cyber Threat Information DHS has taken actions to create an environment to promote the effective sharing of cyber threat information in support of its mission For example DHS has taken the following actions to foster and improve cyber threat information sharing among the federal and private sectors US-CERT developed an internal-external communication plan that depicts strategies to strengthen collaborative partnerships to improve shared cyber situation awareness DHS developed the National Cyber Incident Response Plan in coordination with federal state local territorial and private sector 2 External partners include federal agencies private sector state and local governments and international partners Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 4 partners to establish the strategic framework for organizational roles responsibilities and actions to prepare for respond to and coordinate the recovery from a cyber incident The plan serves as a mechanism across the cyber risk management spectrum including incident management data ow enhancement analytical collaboration and other integrated cybersecurity coordination efforts among the federal operations centers Information Sharing and Analysis Centers ISACs and industry participants involved in cyber coordination and incident response activities 0 DHS established a memorandum of agreement MOA with the Department of Defense DOD to set forth the terms by which both agencies will exchange personnel equipment and facilities to improve inter-agency collaboration in strategic planning for the nation s cybersecurity and to current operational missions US-CERT established partnerships with ISACs including Financial Services Multi-State and Information Technology IT to facilitate government and industry collaboration to mitigate unauthorized cyber activity in private networks and to improve the protection of privately owned critical infrastructure Although DHS has taken actions to facilitate the exchange of cyber threat information between federal agencies and the private sector the Department still faces numerous challenges in carrying out its mission as the principal lead for securing the cyberspace DHS must continue to improve its coordination efforts with other federal agencies and the private sector regarding cybersecurity mitigation strategies information sharing initiatives and sharing of best practices and processes to protect critical infrastructure and key resources across the sectors Additionally DHS must encourage both federal agencies and private sector partners to share their cyber threat information with the Department in order to develop effective responses to potential attacks Description of How Cyber Threat Information Is Shared Among Federal Agencies and the Private Sector DHS shares cyber threat information among federal agencies and the private sector through various information portals published reports 3 ISACs consist of the owners and operators of critical infrastructure and key resources to facilitate consistent interaction between and among public-private members and the government They are considered collaborative partners with the shared goal of securing the nation s critical infrastructure Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 5 telephone email and secure video teleconferences and person-to-person contact including working groups The mechanism for sharing the information largely depends on the classi cation of the information and on the tools available for the intended recipient to receive the information Collaboration Among DHS Components and the Intelligence Community US-CERT shares cybersecurity information with the Intelligence Community through Cyber Threat Branch who are detailed both at NPPD and NCCIC and NPPD detailees work with US-CERT personnel at the NCCIC to coordinate on threat assessments and analysis activities This coordination enables direct person-to-person collaboration to ful ll the intelligence requirements of the NCCIC US-CERT and the Industrial Control Systems Cyber Emergency Response Team As a component of the NCCIC the Cyber Threat Branch determines when threat intelligence and information is disseminated to its homeland security customers in DHS and the Intelligence Community to ensure that information from all sources is combined to provide a complete assessment of potential threats to the nation US-CERT identify cyber threat anomalies from intrusion detection systems that may signal potential unauthorized unusual or risky network activity on federal networks Then uses US-CERT analyses to produce intelligence products such as Homeland Security Intelligence Reports and Intelligence Information Reports 4 Both reports are distributed via the Automated Messaging Handling System and the Homeland Secure Data Network to DHS components and to other members of the Intelligence Community and US-CERT also coordinate on preparing the Secretary s daily cybersecurity brie ngs Collaboration with Federal Agencies To support the operations and improve situational awareness of the nation s cyber infrastructure DHS engages in bi-directional communication exchange with federal agencies through meetings 4 Homeland Security Intelligence Reports contain processed intelligence information and serve as a mechanism for a wider distribution to the broader Intelligence Community Intelligence Information Reports consist of raw unevaluated intelligence which serves as a bridge between the Intelligence Community and the Department s non-intelligence components 5 HSDN is a classi ed wide area network for DHS and its components with speci c and controlled interconnections to the Intelligence Community and federal law enforcement resources Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 6 and continued dissemination of products and services goals are to articulate key cybersecurity messages and to disseminate timely and accurate technical information to its federal agency partners Additionally DHS encourages partnerships with national and international entities to encourage situational awareness and share critical cyber threat information DHS cyber security of cials believe that on-going bi-directional communication is paramount to the success of these partnerships For example US-CERT exchanges liaison of cers with the Federal Bureau of Investigation s FBI National Cyber Investigative Joint Task Force National Security Agency s N SA Central Security Service National Threat Operation Center NTOC DoD s United States Cyber Command CYBERCOM and Cyber Crime Center and the DHS National Operations Center In addition the United States Secret Service stations a liaison at US-CERT to improve communication and exchange cyber threat information When potential cyber crimes and threats are detected Cyber Division notifies outside agencies of information and intelligence gleaned from all facets of FBI cyber investigations and intelligence gathering efforts The FBI shares with DHS through its cyber liaison assigned to DHS and by disseminating timely and actionable intelligence and threat information directly to US-CERT during ongoing investigations US-CERT in turn uses the intelligence and information to notify its partner agencies and institute any mitigation strategies provided by the FBI noti cation Further DHS participates in information sharing initiatives including weekly meetings attended by the DoD s CYBERCOM the NSA NTOC and the Departments of Energy and State DHS also participates in the National Cyber Investigative Joint Task Force meetings which have majority participation from law enforcement agencies Also DHS operates the Government Forum of Incident Response and Security Team GFIRST portal and coordinates its annual conference 6 information sharing and incident response process includes distributing recipient-speci c Department Agency Cybersecurity Activity Reports DCARs to federal agencies 7 As 6 GFIRST promotes cooperation among the full range of departments and agencies as well as the defense civilian intelligence and law enforcement communities Members work together to understand and handle computer security incidents and to encourage proactive and preventative security practices 7 US-CERT publishes the weekly DCARs to provide senior cybersecurity of cials awareness of cybersecurity incidents occurring across the civilian federal government This report details the trends observed in the gov domain and open source reporting Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 7 of January 2011 US-CERT distributed DCARs to 10 federal agencies as well as a general government-wide DCAR Additionally US-CERT participates in a number of sharing activities with different agencies as well as operates and organizes the Joint Agency Cyber Knowledge Exchange J ACKE program meetings To further exchange cyber threat data between both agencies and DHS launched initiatives to share and coordinate their cyber operations which include the NSA NTOC and DoD s Cyber Crime Center The MOA between and DHS works toward ensuring that both agencies priorities and requests for support are clearly communicated and met Among other responsibilities DHS of cials maintain cognizance of both agencies activities to avoid duplication of efforts and potential con ict Both agencies have personnel co-located at their sites to support their operational and planning efforts Further DHS has entered into other initiatives or MOAS such as with the National Cyber Investigative Joint Task Force These agreements provide DHS with additional resources to improve inter-agency collaboration in strategic planning for the nation s cybersecurity mutual support for capabilities development and of current operation mission activities Collaboration with State Local Tribal and Territorial Governments State local tribal and territorial governments receive their cyber threat information from Cyber Threat Branch National Operations Center NCCIC fusion centers and through the Department of Justice FBI National Cyber Investigative Joint Task Force outreach for law enforcement agencies Additionally state governments have designated a senior of cial for the Cyber Uni ed Coordination Group to improve situational awareness which is a key element in responding to cyber security incidents Further the state and local government partners participate in the Homeland Security State and Local Intelligence Community of Interest working group to share sensitive information regarding current and emerging threats to the nation Cyber threat information is disseminated to state and local governments via secured video teleconferences and Homeland Security State and Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 8 Local Intelligence Community of Interest and HSDN portals 8 Under the Cybersecurity Partner Local Access Plan pilot program arranges for US-CERT to provide cybersecurity awareness brie ngs to fusion centers on a region-by-region basis Further DHS collaborates with state local tribal and territorial governments through its working relationship with the Multi-State ISAC The Multi-State ISAC serves as the primary contact between US-CERT and state and local governments US-CERT provides funding to the Multi-State ISAC and communicates with them on a daily basis Collaboration with the Private Sector US-CERT is developing information sharing relationships with critical infrastructure and key resources sector partners such as the Financial Services ISAC IT-ISAC and Multi-State ISAC Currently there are liaisons from the IT-ISAC Multi-State ISAC and the communication sector at the NCCIC Further the Financial Services ISAC participates in a pilot program with DoD s Cyber Crime Center and US-CERT to regularly share cybersecurity products and information Additionally US-CERT coordinates with the Industrial Control Systems Cyber Emergency Response Team to communicate with other private companies to secure their control systems US-CERT works in close collaboration with other federal cyber centers to share threat information with the private sector For example in August 2010 US-CERT briefed the IT-ISAC on security issues related to mobile devices worked with the NSA to monitor developments of Zeus malware and provided informational brie ngs at GFIRST conference 9 In September 2010 US-CERT representatives met with the Secretary of Defense to discuss incident information sharing Based on their awareness of cybersecurity private sector recipients can receive cyber threat information in several ways For example some recipients Financial Sector ISAC Energy Sector ISAC and Water Sector ISAC are considered operational 8 The Homeland Security State and Local Intelligence Community of Interest consists of state and local government partners It allows intelligence in the states and federal agencies to share sensitive homeland security intelligence information and analysis on a daily basis 9 Zeus malware is a generic back door that allows full control by an unauthorized remote user Its primary function is nancial gain by stealing online credentials such as le transfer protocol email online banking and other passwords Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 9 partners and they receive information directly from their and other liaisons at the NCCIC The NCCIC also provides regular brie ngs to the Sector Coordinating Councils which have established mechanisms to share cyber threat information with individual critical infrastructure owners and operators Additionally speci c private sector entities telecommunication providers software vendors and intemet service providers have established relationships with the NCCIC and requested information to ensure their resiliency Further the private sector receives cyber threat information by accessing portals and websites GFIRST portal and the US-CERT gov website which includes the National Cyber Alert System The private sector also uses the Homeland Security Information to collaborate with the public sector about cyber security incidents vulnerabilities and exploits in a trusted environment 10 US-CERT also provides information on current cyber security issues activities and resources to the private sector on its public website 10 The Homeland Security Information Network is a national web-based portal for information sharing and collaboration among federal state local tribal territorial private sector and international partners engaged in the homeland security mission Users can share within their communities or reach out to other communities as needed Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 10 Figure 3 depicts the information sharing environment used by US-CERT See appendix for a list of operational partners Figure 3 Acronyms CICPA Cyber Infrastructure Cyber ICS-CERTIndustrial Control Systems Cyber Protection and Awareness Emergency Response Team DC3 Department of Defense Cyber NCC National Coordinating Center for Crime Center Telecommunications FNS Federal Network Security National Cyber Investigative Joint GCSM Global Cyber Security Management Task Force IC-IRC Intelligence Community Incident NOC National Operations Center Response Center NSD Network Security Deployment SOC Security Operations Center Figure 3 US-CERT Information Sharing Environment Source US-CERT Finally DHS is undertaking many initiatives to enhance the exchange of cyber threat information with the private sector These initiatives include the following 0 Expanding its private sector information sharing processes by building an information sharing model that incorporates private sector stakeholders across multiple sectors Under this model US-CERT coordinates with its partners to provide their stakeholders with timely risk information and remediation Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 1 1 strategies to protect their networks and those of their critical infrastructure 0 Contracting with Carnegie Mellon University s Software Engineering Institute to develop and coordinate cybersecurity data ow efforts between the federal government and the private sector The projected outcome is to include capabilities that map and align actionable cybersecurity risk management activities potential attacks and vulnerability mitigation Participating in conferences and engagements that support its coordination with federal state and local governments as well as the international public and private sector communities to share up-to-date information on cyber threats and mitigation strategies and to promote information sharing Mechanisms Used To Disseminate Classi ed Cyber Threat Information DHS uses several mechanisms to share classi ed cyber threat information with federal agencies the Intelligence Community and the private sector Speci cally DHS communicates and distributes Secret cyber threat information through the use of classi ed information systems and person-to-person interactions Cyber threat information that is classi ed as Secret is disseminated through HSDN and the Secret Internet Protocol Router Network as well as through the Automated Message Handling System 12 Secure Terminal ui ment 13 and secured video teleconferences 11 is a system used to transmit information that is classi ed as Secret 12 The Automated Message Handling System provides a user-friendly means to send and receive messages and to provide connectivity to and interoperability with other federal agencies allies tactical users and defense contractors It also provides guaranteed delivery to the intended recipients and maintains writer to reader accountability 13 Secure Terminal Equipment consists of telephone communications system for wired or landline communications Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 12 Person-to-person interactions occur between liaisons who are detailed at the NCCIC or stakeholders and public sector partners participating in or quarterly working groups GFIRST and JACKE meetings Further DHS participates in the Operations and Intelligence Round-Up which is a weekly analyst-to-analyst exchange coordinated by CYBERCOM Also DHS organizes the JACKE meetings with and representatives from various Security Operations Centers The CYBERCOM JACKE and NTOC meetings mostly address operational issues Effectiveness of Sharing and Distributing Cyber Threat Information Among Key Stakeholders Although considerable amount of information is being shared between DHS other federal agencies and the Intelligence Community more sharing and coordination efforts are needed to address cyber threats in a Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 13 timely and manner Speci cally some federal agencies have limited access to classi ed cyber threat information Additionally DHS has limited control over the classi ed cyber threat and tear line information it receives 17 As a result some stakeholders do not perceive the information provided as valuable because it may not be timely or provide recommended actions to address potential cyber threats Most Federal Partners Are Not Equipped to Receive Classi ed vaer Threat Information ability to share classi ed cyber threat information with other federal agencies is contingent upon these agencies having the required facilities equipment and employees to receive and process classi ed material Speci cally many federal agencies do not have access to HSDN and WICS systems used for transmitting Secret and Top Secret classi ed information respectively Further the lack of proper security clearances for senior IT personnel at these agencies is a major hindrance for DHS to share classi ed cyber threat information timely and effectively We interviewed senior of cials from eight federal agencies to evaluate the effectiveness of sharing and distributing of cyber threat information Overall these of cials indicated that cyber threat information was shared effectively However they expressed concerns regarding their access to classi ed cyber threat information For example of cials at one department informed us that the agency has only one or two WICS terminals for multiple users as well as limited HSDN access Only 6 of 220 personnel at its national security operations center have Top Secret clearances Although the agency does not generally handle classi ed information its personnel have found classi ed cyber threat forums and products valuable and would like to share more information learned from these forums within the organization However currently it cannot do so as the material is classi ed and only a few of its staff possess the required security clearance Additionally since there is no WICS access at another agency s Of ce of the Chief Information Of cer OCIO its personnel have to reach out to other agency staff outside the OCIO with JWICS 17 A tear line report contains a physical line on an intelligence message or document which separates categories of information that have been approved for disclosure and release Normally the intelligence below the tear line has been previously cleared for disclosure or release Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 14 access to obtain the information needed to respond to a potential threat This usually requires this department s OCIO personnel to travel to another location Similarly cyber security staff at two other agencies must travel to another location to access classi ed systems Then agency personnel must print out and transport classi ed material back to their respective of ces Agency of cials cited the lack of suf cient funding as the main obstacle to their agencies acquiring access to classi ed cyber threat information At four agencies we visited management of cials decided not to obtain access to classi ed material because they believed the cost outweighs its bene ts Speci cally one department s of cial told us that it is extremely dif cult to make a case to its leadership for classi ed system access when US-CERT does not provide classi ed cyber threat products tailored to the agency s speci c needs which would have greatly increased their value In the case of another agency s OCIO agency of cials informed us that its JWICS access request was pending approval from the Of ce of the Director of National Intelligence According to these of cials a service level agreement was established to allow US-CERT to monitor agency s network traf c This agreement requires JWICS access and US-CERT has not made a request to the Of ce of the Director of National Intelligence on its behalf US-CERT of cials responded that DHS does not have suf cient resources to help other federal agencies obtain the required system access and security clearances According to Homeland Security Presidential Directive 7 the DHS Secretary is required to establish appropriate systems mechanisms and procedures to share homeland security information relevant to threats and vulnerabilities in national critical infrastructure and key resources with other federal agencies state and local governments and the private sector in a timely manner Additionally the National Infrastructure Protection Plan 2009 established the goal that requires critical infrastructure and key resources partners to strive toward access to robust information sharing networks that include relevant intelligence and threat analysis and incident reporting Further effective communication which includes multidirectional information sharing between government and industry to streamline and reduce redundant reporting is highly encouraged Unless other agencies acquire the required facilities and equipment and ensure that their personnel possess the proper security clearance to receive or process classi ed cyber threat Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 15 information DHS will continue to be restricted in what kind of cyber threat information it can share As a result these federal agencies will be hindered in their respective efforts to address effectively cyber threats to their systems DHS Has Limited Control Over the Classi ed and Tear Line Information It Receives Federal agency and private sector of cials expressed concerns regarding inability to provide unclassi ed cyber threat information to a wider customer base Cultural and mission differences among Intelligence Community members and federal agencies affect how cyber threat analyses are produced and result in products of varied quality and timeliness for partners and customers However since the Department is not the originator of the classi ed materials DHS is often restricted in distributing cyber threat information that is classi ed Secret or Top Secret Speci cally DHS is prohibited by originating authorities from creating tear line reports or providing speci c details to other agencies As a result many DHS partners and customers are not receiving the cyber threat information needed to take proper action Based on their respective cyber functions elements of the Intelligence Community focus on the priority to support their own missions As a result intelligence cyber threat information they share with DHS may not allow time-sensitive threat mitigation actions to be taken of cials told us that classi ed cyber- related information becomes too restrictive and generalized when it is collected from multiple sources That is originators often consider only their respective missions and needs for the information but not the prospective needs of their cyber threat partners Additionally DHS does not have the authority to declassify any information that the Department did not generate Speci cally DHS cannot generate tear line reports or release any information that may hinder another agency s on-going investigation work in progress or violate applicable classi cation policies As part of Intelligence Community Policy Memorandum Number 2007 -5 00- Unevaluatea Domestic Threat Tear Line Reports Wovember 200 7 the Of ce of the Director of National Intelligence requires the Intelligence Community to produce unclassi ed versions of all classi ed reports involving threats to the United States that identify a speci c target geographic Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 16 location or method of attack 18 However some Intelligence Community elements are not including their tear line reports with the classi ed material Finally there is no similar requirement for non-Intelligence Community elements to create tear line reports According to US-CERT of cials since it can be very time-consuming to develop tear line reports other agencies are not willing to create these reports for their classi ed products In some instances when DHS receives tear line reports the Department may still be restricted as to when and with whom the information can be shared In addition the originating agencies may restrict the distribution of the tear line report Some federal agencies and private sector of cials said that they would at a minimum prefer to receive information regarding what is being attacked and the method excluding the attacker or the speci c agency company being attacked in an unclassi ed format Private Sector Stakeholder Views We met with representatives from 17 private sector companies and 2 ISACs to obtain their views on the effectiveness of sharing and coordination efforts between the Department and the private sector Most of these of cials indicated that DHS has improved its information sharing efforts over the last few years Speci cally US-CERT has increased its outreach efforts by participating in more private sector meetings and conferences and is providing more actionable information in its alerts and bulletins Representatives from the Finance Healthcare and Public Health and Communication sectors noted improvements in their collaboration with US-CERT However some of cials expressed concerns regarding the effectiveness of collaboration efforts and with the quality and timeliness of US-CERT products As a result private sector companies often use their own tools to share analyze and exchange cyber threat information within their sectors rather than collaborating with DHS The private sector of cials we interviewed identi ed a number of improvements that DHS could implement to further enhance its 18 The Intelligence Community Policy Memorandum states all available context information relating to the information collected shall be included in the tear line report This may include information on the access to the information reporting history possible motivation or other pertinent details These reports shall be consistent with statutory requirements to protect intelligence sources and Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 17 cyber threat information sharing initiatives 19 Speci cally DHS needs to 0 Improve the accuracy and timeliness of its alerts and bulletins Speci cally some of the larger companies told us that DHS provided the same cyber threat information they had already received from other sources such as ISACs and private vendors Additionally these companies noted that DHS does not always provide cyber threat information timely to allow for prompt response and mitigation Customize products with cyber threat information for speci c sectors Without these customized products according to some representatives they have to conduct extensive analyses to determine whether the threat or vulnerability cited in products pertains to their sector 0 Identify recommended actions companies should take to mitigate the threats or security incidents cited in alerts and bulletins Some representatives told us that US-CERT products do not always include actionable recommendations According to these companies without these recommendations they could not take prompt corrective actions to mitigate the threat identi ed 0 Provide guidance on how classi ed and for of cial use only cyber threat information could be distributed within global companies For example some global companies told us that they were not sure if they could disseminate cyber threat information provided by US-CERT to key cybersecurity personnel at their overseas of ces They said that they employ foreign nationals in cyber security positions at their overseas of ces and these employees may not possess the security clearances needed to gain access to critical cyber threat information Further cybersecurity personnel at some companies expressed concerns that DHS did not engage them fully when drafting new 19 The private companies represented nine critical infrastructure and key resource sectors including nance chemical communications energy IT nuclear postal and shipping healthcare and public health and transportation systems Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 18 policies and initiatives that may affect them For example when planning the National Cyber Incident Response Plan Annex DHS announced that the private sector would have an opportunity to comment on the strategy However some company of cials told us that they were given the opportunity to comment on the document only after it was developed by a govemment-only working group Additionally some IT-ISAC members voiced concerns that when DHS reached out to the private sector with other draft policies for comments they were given a relatively short time to comment on the nearly nalized policies such as the Homeland Security Strategy for Enterprise Since some private companies believe that strategies are lacking in the areas of cross-sector and cross-company information sharing they have piloted their own cybersecurity efforts to address their concerns US-CERT of cials acknowledged the concerns expressed by some in the private sector with their services and products Since mission is to serve the broader spectrum of cybersecurity for the nation these of cials do not believe they can provide the sector- or industry-speci c information that these partners desire US-CERT of cials added that it does not have suf cient resources to provide each partner with customized cyber threat activity and information To augment the information provided through published products US-CERT communicates with the private sector through the coordination with various organizations such as Sector Speci c Agencies and the ISACs According to US-CERT of cials some products are alert products by design and are intended only to draw attention to a possible threat in as timely a fashion as possible not to provide in-depth analysis US-CERT of cials disagreed with the perception that the Department did not reach out to the private sector for its input in developing joint initiatives and information sharing efforts They cited its development and exercise of the National Cyber Incident Response Plan and the establishment of MOAs between DHS and the Financial Services ISAC as examples of soliciting input and participation from private sector partners Homeland Security Presidential Directive 7 requires DHS and federal agencies to collaborate with the private sector to facilitate information sharing concerning physical and cyber threats vulnerabilities incidents potential protective measures and best practices Additionally the Comprehensive National Cybersecurity Initiative encourages the enhancement of on-going Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 19 partnerships between the federal government and the public and private sector owners and operators of the critical infrastructure and key resources To improve communication with the private sector DHS is drafting a cyber information ow policy to outline the information sharing processes among the Department ISACs and private sector partners The goal of the policy is to establish on going sharing of cyber threat information such as trends tactics and techniques among key stakeholders According to of cials the Of ce of the Director of National Intelligence National Intelligence Manager for Cyber and DHS have begun a project to develop information requirements and convert them into timely actionable intelligence for government and private sector critical infrastructure network defenders The Roles and Responsibilities of NCCIC and US-CERT Have Not Been Delineated DHS has not de ned and communicated the roles of the newly created NCCIC to its partners or developed a portal to disseminate NCCIC products NCCIC was established as a member of information sharing environment to serve as a cyber threat aggregate authority at DHS However some private sector partners expressed concerns experienced by their liaisons stationed on the NCCIC oor For example some private sector liaisons have experienced connectivity and other technical problems that keep them from accessing actionable and timely threat information Additionally some customers have become less satis ed with the support they have received since the creation of NCCIC Because of the problems they experience at NCCIC some federal agencies and private companies including ISACs do not see the value in stationing liaisons on the oor For example the IT sector and IT-ISAC representatives informed us that their liaisons cannot access their companies networks from the NCCIC oor to coordinate incident responses Instead the liaisons have to access their companies networks via their laptop computers away from the NCCIC oor Further some of cials in the private sector expressed concern with dissemination of information during speci c cyber events such as the National Association of Securities Dealers Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 20 Automated Quotations NASDAQ attack 20 the Rivest Shamir and Adleman RSA hack 21 and the Stuxnet attack 22 According to some of the private sector of cials we interviewed DHS did not provide information concerning these attacks to the private sector timely In some instances the private sector rst learned of the attacks through the media and then received information from the Department For the NASDAQ Attack Securities and Exchange Commission of cials told us that they were directly involved in the incident as part of the nancial sector and requested initial information about the attack from US-CERT However US-CERT declined the agency s request and instead released a bulletin regarding the incident For the RSA hack a banking of cial told us that DHS did not share speci c details with the banking sector until it was reported in the media In addition the information that DHS released was general and limited because of the ongoing investigation by law enforcement agencies and some it was classi ed However some private sector of cials told us that DHS should have worked more closely with them and consulted them since their companies were being identi ed by the news media Also they felt that DHS did not suf ciently solicit industry s perspective on the best response procedure As a result some companies and ISACs are evaluating whether to maintain the NCCIC liaison positions since they perceive the information ow as one-directional with information owing only to the NCCIC Some private sector of cials believe that they are not receiving the expected information and services or overall return on investment for the money they are spending in having a liaison at the NCCIC Further some private sector of cials view NCCIC as an added layer of complexity when working with DHS For example there is no longer a clear process for communicating incidents since NCCIC has been established Some federal agency and company 20 The NASDAQ attack was reported by the media on February 4 2011 A NASDAQ stock market operator found suspicious les on its United States computer servers and determined that hackers could have affected one of its Intemet-based client applications However at the time of the media report there was no evidence that customer information was accessed or acquired or that any trading platforms were compromised 21 The RSA hack reported by the media in March 2011 occurred when sensitive information related to the popular SecurID two-factor authentication products was stolen Although the stolen information alone would not enable a successful attack on SecureID customers it could reduce the effectiveness of the 22 In 2010 researchers found that the Stuxnet malware was designed to infect industrial control systems Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 21 of cials are not even sure whether to report incidents to US-CERT NCCIC or both We discussed with NCCIC staff regarding the concerns raised in our meetings with private sector companies In response the NCCIC Director clari ed the respective roles and responsibilities of NCCIC and US-CERT First he stated that US-CERT is a component of NCCIC As such US-CERT plans to work in coordination with other federal components of NCCIC Industrial Control Systems Cyber Emergency Response Team National Coordinating Center for Telecommunications and and to provide the input gathered from the US-CERT partners to the NCCIC Then NCCIC integrates the information gathered from its components and partners partners are expected to continue using however the NCCIC maintains direct contact with the Cyber Alliance Project partners and ISACs According to DHS of cials US-CERT is in a position to share its own information Third-party information can be shared only with the permission of that third-party This information may be the proprietary information of a private sector partners Alternatively it may be law enforcement information provided to US-CERT by the United States Secret Service or the FBI US-CERT works with those private and public sector partners to package and disseminate their information in a manner that does not jeopardize their interests however US-CERT must still obtain permission from the owner DHS of cials acknowledged that addressing the concerns from federal agency and private sector of cials is a dif cult challenge Speci cally the effectiveness of sharing cyber threat information is contingent upon federal agency and private sector partners willingness to collaborate and share all available information with DHS DHS of cials told us that the Department will continue to work with its public and private partners to encourage increased bi- and multi-directional information sharing It is essential that DHS federal agencies and the private sector share pertinent cyber threat information and improve collaboration to ensure that appropriate steps can be taken to mitigate the potential effect of a cyber incident DHS cannot effectively defend against and respond to cyber incidents without the support and collaboration of other agencies and the private sector Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 22 Recommendations We recommend that the Under Secretary of Recommendation Coordinate with the Of ce of Director of National Intelligence to develop policy on the right to release and share cyber threat and related information through tear line reports with the Intelligence Community other federal agencies and the private sector We recommend that the Under Secretary of NPPD Recommendation Improve communication with NCCIC and partners and customers to address their concerns and needs regarding cyber threat information products and mitigation strategies Management Comments and OIG Analysis concurred with recommendation 1 is coordinating with the Of ce of Director of National Intelligence on an initiative to develop updated intelligence community policy on releasing and sharing information through unclassi ed tear line reports with customers including federal agencies state local and tribal partners and the private sector The new guidance is intended to recognize the evolving threat paradigm and codify the responsibilities and standards for the intelligence community to provide tear line reports including improved tailored threat information to these partners plans to ensure that the new policy guidance facilitates the provision of unclassi ed cyber threat information to a wider customer base in a time-sensitive manner to enable responsive mitigation actions Additionally has worked with the Of ce of Director of National Intelligence National Counterterrorism Center to nalize a process for expediting tear lines in exigent circumstances OIG Analysis We agree that the steps has taken and plans to take satisfy the intent of this recommendation This recommendation will remain open until provides documentation to support that all planned corrective actions are completed Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 23 NPPD concurred with recommendation 2 A series of corrective actions are planned to improve information sharing products and mitigation strategies In scal year 2011 the Department nalized a new Government Performance and Results Act performance measure in which a customer feedback survey will be attached to US-CERT and Industrial Control Systems Cyber Emergency Response Team products It will assess how timely and actionable each product is while providing customers an opportunity to provide feedback directly to the Department NCSD will enhance the framework under which information sharing occurs First NCSD will prepare a white paper on current information sharing programs Additionally NCSD will complete the transition of the agreement underlying the Government Information Sharing Framework to a DHS Financial Services ISAC agreement NSCD also will create a comprehensive framework for DHS critical infrastructure information sharing agreements involving ISACs IT providers and other entities that manage or provide services to manage cyber networks and systems US-CERT is developing and deploying resources and process improvements that increase information sharing such as implementing an Indicator Repository database and completing one Cyber Operational Resiliency Review assessment in partnership with a nancial sector institution Finally the NCCIC and US-CERT will implement a comprehensive outreach initiative to ensure that DHS information sharing stakeholders understand their roles responsibilities and communication access points OIG Analysis We agree that the steps NPPD plans to take satisfy the intent of this recommendation This recommendation will remain open until NPPD provides documentation to support that all planned corrective actions are completed Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 24 Enforcement Authority DHS does not have appropriate enforcement authority to help mitigate security incidents Without this authority DHS will continue to be hindered in its efforts to create a safe secure and resilient cyber environment We reported in June 2010 that US-CERT did not have the appropriate enforcement authority to ensure that agencies comply with mitigation guidance concerning threats and vulnerabilities 23 Further we reported that US-CERT needs the authority to enforce its recommendations so that federal agencies systems and networks are protected from potential cyber threats According to The National Strategy to Secure Cyberspace DHS is required to establish a public-private partnership to respond to and reduce the potential damage from cyber incidents Additionally the National Infrastructure Protection Plan stipulates that US-CERT a partnership between DHS and the public and private sectors is tasked to secure the nation s critical information systems infrastructure and coordinate the defense against and response to cyber attacks across the nation However US-CERT was not given the authority to compel agencies to implement its recommendations to ensure that system vulnerabilities and incidents are remediated timely US-CERT of cials stated that the proposed Federal Information Security Management Act of 2 008 legislation would have given it some leverage to implement incident response and cybersecurity recommendations 24 For example the proposed legislation would have required agencies to address incidents that impair their security Further the agencies would have had to collaborate with others if necessary to address the incidents Additionally agencies would have been required to respond to incidents no later than 24 hours after discovery or provide notice to US-CERT as to why no action was taken Finally agencies would have had to ensure that information security vulnerabilities were mitigated timely Since the proposed legislation was not enacted US-CERT remains without enforcement authority products contain recommendations that address the threats and vulnerabilities in federal agencies infrastructures Additionally 23 US Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace but Challenges Remain OIG-10-94 June 2010 24 Federal Information Security Management Act 2008 Proposed Legislation S 3474 Calendar Number 1105 110th Congress Second Session Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 25 US-CERT products help to update federal information security policy and guidance Without the enforcement authority to implement recommendations US-CERT will continue to be hindered in coordinating the protection of federal cyberspace Recommendation We recommend that the Under Secretary of NPPD Recommendation Work with the administration to develop a legislative proposal for congressional consideration that Will grant DHS appropriate enforcement authority to mitigate security incidents Management Comments and OIG Analysis NPPD concurred with recommendation 3 In May 2011 the administration transmitted a cybersecurity legislative proposal to Congress in response to Congress call for assistance on how best to address the nation s cybersecurity needs DHS worked closely with the White House and interagency partners to provide input and recommended language for this proposal OIG Analysis We agree that the steps NPPD has taken to satisfy the intent of this recommendation This recommendation is closed Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 26 Appendix A Purpose Scope and Methodology The objective of our audit was to determine capability to share cyber threat information as required by the Intelligence Authorization Act for Fiscal Year 2010 Speci cally we determined 1 how cyber threat information is shared among the agencies and departments of the United States and with persons responsible for the critical infrastructure 2 the mechanisms by which classi ed cyber threat information is distributed 3 the effectiveness of cyber threat information sharing and distribution and 4 any other matters identi ed by the Inspector General that would help to fully inform Congress or the President regarding the effectiveness of cybersecurity programs Our review focused on cyber threat information sharing activities based on the requirements outlined in the Homeland Security Act 2002 The National Strategy to Secure Cyberspace 2003 National Strategy for Information Sharing 2007 Comprehensive National Cybersecurity Initiative 2009 and National Infrastructure Protection Plan 2009 We interviewed selected DHS of cials Additionally we interviewed of cials from the departments of Agriculture Energy Justice State Treasury Veterans Affairs and the Securities and Exchange Commission Further we interviewed selected security personnel representing the nance chemical communication energy IT postal and shipping healthcare and public health and transportation systems sectors regarding communication methods systems technologies and tools used to share cyber threat information We conducted this performance audit between December 2010 and June 2011 pursuant to the Inspector General Act of I 97 8 as amended and according to generally accepted government auditing standards Those standards require that we plan and perform the audit to obtain suf cient appropriate evidence to provide a reasonable basis for our ndings and conclusions based upon our audit objectives We believe that the evidence obtained provides a reasonable basis for our ndings and conclusions based upon our audit objectives Major OIG contributors to the audit are identi ed in appendix D The principal OIG point of contact for the audit is Frank W Deffer Assistant Inspector General IT Audits at 202 254-4100 Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 27 Appendix Management Comments to the Draft Report Liam-11mm Hiding-Jr - Homeland Sammy Mr hnrlu Ill mm Acting Fauna DH-E l'li-nl nl' lmp inr Elm-n HEB Aw 11E EDD-US 11E Dull Eng-ml i TLlT -lk Eur-9w af 'HE' Combu y Io J'qu l'lu Sunni-Hy IMLEIuppI-oniuc I11 mimic-H - and mm M111 ranJIG-fl Ima mmh Erma-qr hm-Wm- Shem t acr- irmr Minna-1mm The Eur-unmn min-1min mm lm l1iumr and ismitcly muEH'ina w i u idmli rrl 'Lr 1h mini Iht nding nftlu u-311m I anan has Intm m1 Elli-1m In pram-I - it I'll-m in uuppnn nl'iln minim DHS- whirl 1h immune nf'nsi mission In tl t' l ufn mun nrli nuitinrn ty ncr ml mm nI' in mm 1 Inrill'l Fm knrm irt-Lth LN undus-Inn-Ill IJJI Izri cll mu nfmeu-l p Willi cheml marks rnuninll'iln nndn nkm tn higl ight i In lilillt n5 imprnumwu- mm In in minim-I In me in Il'u druJ l um bl rum-d hdnw WI - Ilu'l 1h lln anI-nrmn' Enumumm Cum-dith I I i1lluihr Imrlligcnm tn dcunhippulicy Hm rigln tn rtlnuc-nnd shun Ilil' ll minded Ihrnugh In lhh Imam win an mim- I'nlm alumna M11111 pdan set-Ina ap-nun Cnnrur in coordinang IMilli Jr Uimciuul' Nn nnl malignant 13an an In ini uht In ne-chip update Eu ligmnl Inn-unlinin pulley an Itan and hm'lru in mtinn Ernuah 'Lnrlim nu alum including Ilium - curl-Hull acacia Incl an lribnl prim-n and priqu new Thinntu- IE-wide B'I lill' i inlnnibd In HI W l'r'ili lhrcit Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 28 Appendix Management Comments to the Draft Report M11 etrdil'y ll'n' mmnsihilhie and nan-dards the the tu- pm-uadi Marlin rem including impme-cd Initiated mean in u-mminn Ln pannm Man has provided input heEjn In-dupe such penny my will mun tl'u I I llu Ian-Ir policy guidance facilitates Ihe arm-Elem ermnlamei ed threat information With 3mm Efbtl' bin M51 ill lim-mLim-u Lo L1u1jle Etithll'l t'r't mitigation actions In addi un we hat 'n'rl lrhd with me until Hui- anal L umnmermrim tenterm nalise a gene-e55 flat expediting marlin-s 'Lrl exigent circumstances LEM Riki- ning elfe-rt meet us - in1en1 nl'the md I'm lumb- it bu Again we nwmeirue mat-unity to review Ind comment un drill I'upltn'i In in his mug Iuehuienl mnnuems and a mid-ed separate cam-er The mum um-ml Le wetting with you on ure Security engagemenm gem-e Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 29 Appendix Management Comments to the Draft Report imd ll rm I t ll h-W lIh m-i m rm Homeland SEP 1 L Imiu I1 Edmude main for mdiu LLE- Danni-um urilmlm mnitr Wl ii ln rl m' 31513 Dear Mr Hill-Illa Flt II-ii Etna-art I l- i i-ITA-im Remu- qf rparrm q a mhuu' um 1 hula- lm Ell-m- Jill-r Hun-Em Juli-arming WI Emmy NEW-Ilium Humim mil Pram-Tu lo minim-i tram-nil In the Unit of Impa -IH rm-1 DIE- aunt Hanan-ma Ruin pfmpurmm minimum E'iq'nlrull'ftv In Fi -m1- Til-rm in rm-rm Tl1il ludil illuminated mp md h3- lhi Aluminium in for Fiscal E ll Huntiquun lb ism idmiiliui by Mill mi up mt progress hunting Ila-I Habit-l 1nicgralim WINE-CID Ihc t t I m-13min new me realm 1h ul marina Drum To prim Ila Hi th many ul llw maximum-wink ul'lh Hliiurulu Eyhcr Humility mill-II ihi irH-egmiunpu-im brill ugh mum in Lb Emmi- I Extramuin Initinlhr nil-1 1 F i ll 5m and Into Th to tummy pruned manta-HEW lash Wuhan-urinary fir c -td mkchoidcn This initgnliun million is in Ihi Minimum-db mammal him maple-inn Inm nTup Sru mail-meat mld nhle chairman dim uiirm in rm-Inn- 111' Wm mh a lhiu Iii minim hcln fdilil nl I'ruru ill-l of Unith Stun CWmey Radium-a Tm in that and lb ll fwl'tn 'I il' ll il mum-Inn Dim-Ilium pimli win-trauma Despite Iii-r Iindiumin lb m1 prim item comp-nit aid the and m inimitrd himuiniliuiru icirdilf mum oat TI th lbw Ind air-tr rcliiou iim continua In build ind Io d huncybuudmumimiimutmupu nw picnic nfn imulmuw bu I'm-i signifier-i mi in 'm mmlim Jim-inn hm arm in min imbuun be mud-rt LFS-CERT hemingan ima'rnlf ltmal mama-Lima le In IJI IBM cp ltlh ild i upd Eh Hallow-1 cmimm Emma Plan Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 30 Appendix Management Comments to the Draft Report which irIuiIkIu Human WM i-m Sun mu lucid gum-mu uranium Fri-um mm miner Th Ewan-rural J-Irluuim building Mimi-Hump wi1l1 luriIiud infrautmunut scum-r Info-militia Ell-Hill li'ld Ma a-ill Elli-Elli including 11 Mimi-S111 ISAC h'l v n ilrllill'm I'm IJII Bulking Finance Teuhmln ' ll Emmuninriuns mm A mum ol'impl'uvud I le shrink lhI' l'kw'tmuuhl'AE-mcy Eyhuunrilr Flips-m Ignatius Mammy-mm wu uln In recipients bucd on Minimum-i151 Iqu min Iii EINSTEIN 531mm titan ill-u Imhui Wud Ilsa prudl t E'Iudtm Elma-'- Ipcuifb ml l 'pl'iillw' llilk F'm'iIl-c ninth With riluln'null fth m uimu activity dime-in Ihl cum-Mt ul'lh Ills 31m Mullnumduhnm ildu-nml lulu ful lls- hid mun innit-inn Firsl whilu LIE-CERT inn 3 Initial-I In nhmiu lawn iI my until-c mini-pity Wuhan-11hr punnim'un u-l 1hul hid-pity 51 11 info-Iranian may humming int nutm- punrlurul' ilnuy ht law chroma-mm by Ill U5 ScumE-un'iuu Ih Fuim nI'LIIrIrcu'muliurL uranium-me runner- nth wuh pniI-m mix-uh a ch puma II package In human th dun Hull Inl ' ll hut mum Ii ubm'n umuuiu-II lhu murmur I'll mid Irma-duh minim readily Lith ul fucliw Mmcliuml shying II hl-Hd Tl mm mid tuba-rm pubHu-Il'i'I-ul-u public-public I-r pIh'IiII-Il'ivulu LIE-CERT 113mm qu such minimalist-uh mm Iridiumhip il builds T11 ruin-1 mm hymn-in pruptiutuy infumuuinn imam pumill-l -Il would mp-ail uulslil'lg pl'c lul 'l lb Ellhlill'l'll lt ufntu'mh nn ip During my inuu l'nI which 115me mppan Ilium ism-tally mush-cm mam-nu indudu rut-Inhaan- mid-1m - Furnish-nu Iii-cumin an Ih milk Whalin- inm'icwi wi'IhpuhHI mu aim an er this munch nun-Is p uuplions iul'ilml'I-m sharinl durinilh inuidm ra i-Ilntlil'iud in rum-I1 Thiaian-Jmul pail-II ii mm wpurl Wm-um can apply In my IJII upu mum Iu build minimallipu lid IIqul'uimIa to improve in nnuulim aiming To DI-IE- I'll sputum-um If SECRET and 19 Hid-Inn whim-111m pundin mad-in dun-mun Tut Cli l lnl'nmuuluru Wm ehuigtofmnsiliu In parcel animal mica inhuman lulu-Ly mmih l ammonium Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 31 Appendix Management Comments to the Draft Report In minim cum-min In sum-n mamlm uh a I'm aluminl- unmim 11min 'Im'lil m nun Thl qu lmml pull-El n in It Gum Intiman mm in para-Hip nilhlh Wu ul km-451 and Finnrnial Sun-vicar In Magnum whammy ulna mud infur inn will L l d mun-THE This hrulmnl'lm- huing witl Ill 'll' IIEI md mm Emu-oft Elihu Humid purl-n ha pm'm'm in lh Thin h dllgu Emmim Io impl u'n mun-kmrily dtlim Ind 'rnuu' Milan s runcinl The Rpm-man in uh mus-1mm Infomuim Elwin Fm l1 impl un nl'anl and prim-c mmrmilia Th CHIEF mum-ad an WM prim mew when-emit ml'mlmahl ngupnb iry il' ll il l mnumn htp slln ' fur pail-arml icll indulry-lubminrd WIT-HILL th HEMP Carlin Uul MCo-m nulnn mup upland the Ugh-l Ramos and is nu and inter- urpniutimll modimliuuh-ndy Hui mull-puma public mi pit-nu mm HIT- lls Th Cj'b-cr LICE- Iu Mend-ad mm My I-prn ma and incidal im 'llj' uh Elnl'l men-In his bud- ll mad- nd hy v I-nulumihipu d or barman-Icy print I lililm rap-alum Eu hafnium-Ind cyberqn'm'nnl Pulin'mlml ptmedm Ill-Ed Fatyb int n mmx vi lim Th Barnum w muhr Il'ul item mi-ti Wmu r min In Elli-t local 1th and Lmiiurinl paws UB-CERT cuunlinmd I War EWETEIH- I Hul luw Communion wi uhr which L11 MEI-ISAC Buffering MELTT lfl lil full mandincuriiy rm-inn A muH ud' u'l mam Ihc ME- v 1 In tuna-Minted merit-rm LIE-CERT Iu amen Human an- ling tho W's-capabilin In rush 3mm thnhu- pun-riding Win ri u Hem-orb Th1 'riliul lnfmuuhan-Enll m hm ngmu is 'm iru y Marwm hut whim human I scan aniline partil or alum urn-aim dIicnl mm mm new my Mamba nal-mum lime-H411 uni n w a- The pun-ml wilJ huh-1 Emma-shim mum huh Whinimul ml Plum-cud I de Ill hn'lml informim Th minim WHI In th ma-unihu onll an Elm uhmi ium iuln rp-unnl produuc ullmd pmdumhutdmihmc album Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 32 Appendix Management Comments to the Draft Report In all all-um Ilia - Depimmnl'l Huiuul Hamil Di'rii'mn held a Hid minim Em ml ul m iniduimmdimnnahcmul and ll-trim I'nrlh Inlhmutjuu urituji'd rum The nl'lhn' mks-111111 In mmlh ltl'l mm hunting will lus- In dull-ulna ml lm in mum-null Winn ih 'i g it'ti'u'i-ljr Mum lhl Wand E'I'ili l WWI puiicipmlm W Lhax mr-r wr ul l ic'r qr' rmmr qr'h'dn'nnul' Inf-rime wrap-pain an rin- I'd-rm and shut- nil-am mar Hm mum-r Mimi-n- E'mmum may agenda undilu- rim-r Haw HI-in and Aaliyah w l rum-id this mil-mu W tannin- rm un'l'h EM ul'Il-I mini-HI it-Ir norm-LL ugm l'ng q- tr Hut-n ugh-rum mic-rum and ammth my mil-ill His mum-duh In hum mm mum-ruminant sunk-gin 11 FT L Wt rmlim mw mwmm FWn-M aufn An- Ful l-rm in HEM may m'lt In Incl-led In LIE-CERT mil Industrial Carlin 53m Elihu Hanan-nu Tum prudwls 1 will muslin- lil ijl'lnd Mancunian-Ii rm-dun i1 plm ngmum Wit - lu pm't'ld-It l'mdhd dimly W NEED will aim Ill ur nuhich Emmi-um newts Flu NEED 'I-hitl I an minimum staring mm ailing haw Inch mum EH15 Idim'nci new has i rm For In mmpwun u Hidwldu's and El rill-m nf'rna'mnndun DHS and I Ilicll inEruimduJ-r wit-lea NEED will mplm1hlmuirim ul'lh inn-center ind-Ewing CHEF In a WWI-WISH mum-ml will Huh Emmi-Juli mum i'nl' n'iliul inhm inliumlinn muting Isl-5cm Emmi-in ISMTH Info-111mm md Emmiuti -BEI T l' ll l l f mi'idd drill nllm'uuhi l1 mire - MME yb fun-ml and Hum i rmware and impair-email Ihu ltllilw Hawaiian nhuirlg Fill-IL UE-EEFJ i5 ruiicmm Wm dulblu whil hi umnliuimuiudimn toilnbm'atlw mm bu nil mnim n Emu-mi it leI Haitian Eta-hm- Whip-will Inirilmirm 111i m1 will provide Ih Humid sum-4m mam smut insiahu u Il'u Il'uwll than 'u lilu -Jus Buddinim will mm in midi-1 mm Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 33 Appendix Management Comments to the Draft Report marl-Liana rubble I'm-mil h-hlch will human-1h ail-M 11H 'will I'm H'l'ililjl' Mimi-cf mum rmnipimu' Iriworlu Ill-n lid-Ill Light Ful l M 1mm Hindu I'm inhi lM MnI-Hhinh infunm gunner Hutu Inn- 1 inhuman bum samuhrr crank-16m Thin moldy help us-cmr in rruulm Whit me dimn'umr infuml uu Wit 11- In rum Hid-c1- Whig-i I d LIE-CERT 1will mph th Immpr wuilm awe-ch mili iwlu 'llt HHS Hlkd'l cltn Wmiu WHIhitmm mwiuuimmteupuhm ll- 5m IJH fu-lkmingmil nu Mm this mun-lining in Mimi Digital hum Win-ll A rum 5PM El man mu an mm lirllinnuinn Sharing gamma mamm- Tmuilhun' ' iF mum-cm Eil F1101 1 mm rm I'm-r arts-mm animal Wminl miun Iii-b1 1pm Impiu iim Ira- aunt minim qz i iz Com-art watthli II Mid Prune-HI In LIE-CERT palms I fmphuntnl aunt-11mm g ll W I'F url with millil- Wilma-HEW I'll-rpm leW Minn-Mm my-tr WWII mail il Wad bu hymn-thud it n dmijr EDI 3 Mlmim'm uu 1n- In lm nll fol-Wan haw but Hal-Lites the Karin-n1 cmurilynudl Elli-IS Wch y ith u- WhlIEl-Imuc u inm Farm Wm m vim Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 34 Appendix Management Comments to the Draft Report Again Hun-ll you I'm Ihr opp-munin HI and Tami-II comment on this dm mpnn- urrd look I'umud Io muting wilh you on I'utlur hum- an suturing engagements Him-Emil 1 I - - Hum Hun ind-H Stirring Saniliuly tl Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 35 Appendix Operational Partners Communications ISAC Cyber Security Management Center Department of Defense Department of Transportation Federal Aviation Administration Department of the Treasury Departments and Agencies Security Operations Center Electricity Sector ISAC Energy ISAC Federal Bureau of Investigation Financial Services ISAC Immigration and Customs Enforcement Cyber Crimes Center Information Technology ISAC Intelligence Community-Incident Response Center Multi-State ISAC National Cyber Investigative Joint Task Force National Cybersecurity Center National Infrastructure Coordination Center National Operations Center National Response Coordination Center National Security Agency Central Security Service National Threat Operation Center Surface Transportation ISAC United States Secret Service Water ISAC Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 36 Appendix Major Contributors to this Report Chiu-Tong Tsang Director Tarsha Cary Audit Manager Mike Horton IT Of cer Shannon Frenyea Team Lead Amanda Strickler Team Lead Megan Ryno Program Analyst David Bunning IT Specialist Bridget Glazier IT Auditor Philip Greene Referencer Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 37 Appendix Report Distribution Department of Homeland Security Secretary Deputy Secretary Chief of Staff Deputy Chief of Staff General Counsel Executive Secretariat Assistant Secretary for Of ce of Policy Assistant Secretary for Of ce of Public Affairs Assistant Secretary for Of ce of Legislative Affairs Under Secretary Assistant Secretary Cyber Security and Communications Chief Information Of cer Deputy Chief Information Of cer Chief Information Security Of cer Director NCCIC Director NCSD Director US-CERT Director Compliance and Oversight Program Director Liaison Of ce Audit Liaison Audit Liaison Audit Liaison Audit Liaison NPPD Of ce of Management and Budget Chief Homeland Security Branch DHS OIG Budget Examiner Congress Congressional Oversight and Appropriations Committees as appropriate Review of the Department of Homeland Security s Capability to Share Cyber Threat Information Page 38 ADDITIONAL INFORMATION AND COPIES fax your request to 202 254-4305 or visit the OIG web site at www dhs gov oig OIG HOTLINE To report alleged fraud waste abuse or mismanagement or any other kind of criminal or noncriminal misconduct relative to department programs or operations • Call our Hotline at 1-800-323-8603 • Fax the complaint directly to us at 202 254-4292 • Email us at DHSOIGHOTLINE@dhs gov or • Write to us at DHS Office of Inspector General MAIL STOP 2600 245 Murray Drive SW Building 410 Washington DC 20528 The OIG seeks to protect the identity of each writer and caller