DHS’s Cyber Threat Information Sharing Program Has Room to Grow

The Cybersecurity Information Sharing Act signed into law in 2015 paved the way for greater sharing of cybersecurity threat information by private sector and federal agencies with the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS.)

One result was the creation of the Automated Indicator Sharing (AIS) program to enable the exchange of cyber threat indicators between CISA and the private sector at machine speed. Nearly five years after the law took effect that set these wheels in motion a recently released DHS Office of Inspector General’s (OIG) report determined that DHS made limited progress to improve information sharing in 2017 and 2018. The news is decidedly a mixture of some progress and some capabilities yet to come.

AIS Successes and Shortcomings

Some of the progress and shortcomings noted by the OIG include:

• Increased Participation: CISA increased the number of non-Federal participants from 74 in 2016 to 219 in 2018, including 13 International Computer Emergency Response Teams (CERT). However, the number of federal participants barely grew from 30 entities in 2016 to 33 in 2018.
• Increased Threat Indicator Shared: CISA increased the number of cyber threat indicators it shared with AIS participants from nearly 180,000 in 2016 to more than 4 million in 2018. CISA shared more than 5.4 million unclassified indicators through its AIS data feeds in 2017 and 2018, 1.4 million and 4 million respectively.
• Insufficient Information Quality: The AIS information shared through AIS did not contain sufficient detail to fully mitigate potential threats. It did not contain actionable information, including sufficient context or background details to effectively protect federal and private networks. Contextual information can include things like Internet Protocol addresses, domain names, or hash files that may help with deciding mitigation and response actions. Another data challenge included file format incompatibility that limited the sharing of threat indicators.

The OIG attributed CISA’s lack of progress in improving the quality of the information shared under the AIS program to external factors – like the limited number of AIS participants sharing cyber indicators and the delays in receiving the cyber threat intelligence standards needed to upgrade AIS and internal factors like insufficient staffing in the CISA office to adequately support the AIS program.

The OIG recommended CISA increase dedicated staffing to the AIS program and increase its training to federal and industry participants and its outreach to potential participants to grow the program, some of which CISA has already undertaken.

There are plans to revamp CISA’s Automated Indicator Sharing (AIS) information sharing program to improve quality and facilitate more complex defensive actions by federal agencies and the private sector. Hopefully, as CISA works to overcome the challenges it faces the AIS program will mature and gain greater traction.