By Scott Algeier
The IT-ISAC has been celebrating its 20th Anniversary this year. But 2020 also marks another important information sharing milestone—the 5th anniversary of the original CISA, the Cyber Information Sharing Act. CISA was passed to promote information sharing between DHS and industry and to support programs such as DHS’ Automated Indicator Sharing program (AIS). I am often asked whether CISA has improved information sharing and whether AIS has been a successful program.
With the passage of CISA, the Department of Justice Anti-Trust Guidance on Information Sharing and the Protected Critical Infrastructure Information Program (PCII), there is a sound—though perhaps imperfect—legal structure in place to promote information sharing. Certainly, some observers have concerns that CISA and AIS may not be meeting the expectations some have for it. But anything that removes barriers to information sharing —real or perceived— is a good thing. Further, it is important to note that CISA and AIS were never intended to be the solution to the information sharing challenge. Instead, they are both important partsof the solution. Can they be improved? Certainly. However, it is important to not look at information sharing exclusively through the lens of CISA or AIS.
The AIS program’s primary goal is to “commoditize cyber threat indicators through AIS so that tactical indicators are shared broadly among the public and private sector, enabling everyone to be better protected against cyber attacks” (https://www.us-cert.gov/ais). A core precept of AIS is to leverage automated information sharing to share larger amounts of indicators. It is focused on sharing large volumes of low level (less sensitive) indicators with as many people as possible.
When AIS was first initiated, automated indicator sharing was in its infancy. At the time, there was a large desire for increased indicator sharing across industry and government. It is unclear how many companies are participating directly with DHS in the AIS program, but there is substantial indicator sharing occurring across industry and government. While measuring the number of companies directly sharing is interesting, it doesn’t necessarily reflect how the industry shares information. Thousands of companies belong to ISACs, including the IT-ISAC and many of our peers in the National Council of ISACs who participate in the DHS AIS program. Leveraging the ISACs and our collective member companies provides scale for DHS to share with thousands of companies. Any assessment of industry’s participation should include the thousands of companies who participate through ISACs.
The IT-ISAC, for example, receives AIS indicators from DHS directly into our TruSTAR knowledge management platform. Members can query against all disclosed DHS data feeds, including AIS, and search for relationships between AIS indicators and other indicators in the platform. They also check those against indicators they have in their own enterprise security tools. When a member company identifies information that would be valuable to share with DHS, they pass that along to our operations team, who passes the information to DHS. DHS can then share those indicators back out to their larger community through AIS. Despite its shortcomings, the AIS program has its purpose and value. But it is in no way fair to judge the success of DHS or government information sharing solely based on AIS alone.