A Decade of CISA 2015: Reviewing its Effectiveness

In 2020, I published a blog commemorating the fifth anniversary of the Cyber Information Sharing Act of 2015 (CISA 2015).  In that blog, I provided an evaluation of the effectiveness of the law, with a particular focus on the Automated Indicator Sharing (AIS) program, as that was the topic of discussion at the time.  Five years later and with the pending September expiration of CISA 2015, it’s time for another review of CISA 2015.

The goal of CISA 2015 was to increase the voluntary sharing of threat intelligence both within industry and between industry and government.  It sought to achieve this by establishing the AIS program to enable the sharing of indicators at scale, and by providing a series of incentives to encourage industry sharing.  So, 10 years in, was this framework successful? Let’s explore its history and impacts today.

Automated Indicator Sharing 

It is important to look at AIS within the context of the time it was developed. Today, security professionals take for granted the ability to share large numbers of indicators across machines in near real-time.  But in 2015, indicators were still being shared through spreadsheets, requiring analysts to manually copy and paste them into their security tools. This was the problem AIS sought to address - how to share indicators at scale between industry and DHS in a way that is easily consumable. 

Evaluating the success of AIS is complicated. Critics cite the low industry participation rates and declining numbers of indicators being shared as evidence the program has not been successful.  For example, the DHS Office of the Inspector General noted that the number of private sector entities engaged with AIS and the number of indicators shared declined from 2017 to 2022. 

In actuality, however, the number of companies with access to AIS indicators is significantly higher. As I noted in my previous blog:

In addition, security and threat intelligence providers also have access to AIS and provide them to their customers.  DHS actually has a list (though incomplete) of security providers and ISACs with access to AIS feeds.  Combined, ISACs and security vendors are providing a vast scaling capability to distribute AIS feeds to many thousands of companies.

It also is worth noting that AIS, along with the STIX/TAXII standards that support it, provided the technical underpinnings that enabled the development of technologies to seamlessly connect threat feeds across enterprises. AIS demonstrated that this technology worked, added value, was cost-effective, and scalable.  Today, companies can pull all their threat intelligence feed into one platform for analysis and integration with their security tools.  AIS helped make this possible. 

Finally, yes, it is true that not many private sector partners are sharing indicators directly through AIS.  However, there are many more forums and venues for sharing between industry and government today that did not exist in 2015. This includes voluntary sharing from victim companies as well as analysis and reporting from threat intelligence providers and sharing from the ISAC community.  One example is the Joint Cyber Defense Collaborative. DHS is able to share indicators received through these programs through AIS.  

Ultimately, AIS addressed a problem of the time. That problem no longer exists at the scale it did 10 years ago.  The number of indicators available is vastly greater today than in 2015.  Rather than being interested in absorbing as many indicators as possible, security teams today are interested in indicators that are most relevant to them, including specific threat actors, industries, and locations.

Liability and Incentives

In addition to facilitating the sharing of indicators at scale, CISA 2015 also provided incentives to encourage voluntary sharing within industry, as well as between industry and government.  These incentives include liability protections for sharing cyber threat indicators, protecting shared information from disclosure under federal and state Freedom of Information Act (FOIA) laws, and, importantly, antitrust exemptions for companies’ participation in information sharing forums.

This legal framework removed risks (real or perceived) that prevented many companies from participating in voluntary information sharing initiatives. With the protections afforded by the statute, threat intelligence sharing within industry and between industry and government has accelerated.  While there is always the opportunity to improve, the amount and the quality of threat intelligence being shared across the cybersecurity community has grown substantially since the passage of CISA 2015.

The core measure of success is not the number of indicators shared, but whether the shared information helps other participants reduce their risk and improve their cyber posture.  Below are some recent examples, from my experience in the IT-ISAC and Food and Ag-ISAC, in which the active sharing of threat intelligence has led to successful security outcomes:

• The IT-ISAC and Food and Ag-ISAC maintain adversary attack playbooks on over 230 threat actors. Members can contribute indicators and other content to these playbooks.  The ISACs use this information to develop sector-specific threat reports.  The public versions of the IT Sector Threat report is available here and the public version of the Food and Ag-ISAC report is available here.

• The ISACs maintain an internal Ransomware Tracker that was developed in collaboration with members and partners.  The ISACs publish quarterly ransomware reports based on the information that is collected, in which we determine trends as well as methods used by specific actors.  You can view the most recent IT-ISAC quarterly reports here and the most recent Food and Ag-ISAC report here.

  
  

• An IT-ISAC member discovered a zero-day exploit and informed the vendor whose product was vulnerable.  The member shared information about the exploit with associated indicators to IT-ISAC member companies.  This enabled members to protect themselves and their customers ahead of the fix being released by the vendor, which occurred two weeks later. 

  
  

•  A Food and Ag-ISAC member company noticed some unusual ACH-related activity and shared details with other Food and Ag-ISAC members. Several other companies reported seeing something similar.  This information was then shared with IT-ISAC members and discussed during a member Technical Committee meeting.  An IT-ISAC member investigated the indicators further and discovered a coordinated ACH fraud campaign impacting companies in multiple sectors.  The IT-ISAC worked with other ISACs to notify impacted companies and shared the information across the National Council of ISACs (NCI).

  
  

• The IT-ISAC and CISA meet no less than once per month to discuss ongoing threats.  This enables us to provide insights on specific threats we are seeing and discuss details of our threat reports.  

  
  

These examples are not to serve as a commercial for either ISAC.  Rather, they demonstrate that policymakers have successfully developed a legal environment in which companies are comfortable sharing sensitive information with competitors.

Conclusion

The core question related to potentially renewing CISA 2015 is this: Will our country be more or less secure if the Act expires?

If CISA 2015 expires, it will sunset the current legal framework that has successfully encouraged companies to voluntarily share with each other and the government. The sunsetting of these provisions will bring unnecessary uncertainty, which likely will cause an unknown number of companies to disengage from voluntary sharing.

I am not predicting the end of information sharing if CISA 2015 is not reauthorized. The IT-ISAC’s threat sharing pre-dates CISA 2015 and will continue.  If CISA sunsets, there will still be some legal instruments that provide certain protections, such as the DoJ and FTC Antitrust Policy Statement on Sharing of Cyberthreat Information.

But risk-adverse corporate attorneys often prefer protections provided by statute to policy statements issued by regulators.  At a time when the country faces a complex array of threats, policymakers can support efforts to defend critical infrastructure by promoting policies that incentivize voluntary threat sharing.  The legal framework provided by CISA 2015 has served us well and helped us collectively move toward a culture of sharing, which enables both industry and government to make informed risk management decisions.