Advancing cybersecurity through automated indicator sharing

[Note: This article is coauthored by Ann Beauchesne and Dr. Andy Ozment. Ms. Beauchesne is Senior Vice President of the National Security and Emergency Preparedness Department at the U.S. Chamber of Commerce.]

Cyber attacks are increasing every day, and we’re constantly inundated by news reports detailing data breaches, ransomware attacks, and other system intrusions that cost businesses time and money and erode consumer confidence. Both the government and the private sector recognize the gravity of these incidents and are working together to address cyber threats through a novel information-sharing effort.

Last December, Congress passed the Cybersecurity Information Sharing Act of 2015 (CISA), which urges companies to share critical cyber threat information with each other and with the government in a timely manner. To facilitate this effort, the legislation required the Department of Homeland Security (DHS) to develop and deploy a system enabling the automated exchange of cyber threat indicators in real time. Under a tight deadline, DHS worked hard to start up an Automated Indicator Sharing (AIS) capability and meet all the requirements of the law. In March, 90 days after the passage of CISA, Secretary of Homeland Security Jeh Johnson certified AIS as fully operational.

AIS is the cornerstone of DHS’ effort to create an information-sharing ecosystem. The moment a company or federal agency observes an attempted compromise, indicators associated with that incident are shared in real time with our partners, protecting them from that particular threat. This means that adversaries can only use an attack once, which increases their costs and reduces the prevalence of cyber attacks. The goal is to commoditize cyber threat indicators through AIS so that tactical indicators are shared broadly among the public and private sectors.

There is no fee to join AIS. Participants in AIS connect to a DHS-managed system in the department’s National Cybersecurity and Communications Integration Center (NCCIC), which enables two-way sharing of cyber threat indicators. Businesses need a server to exchange indicators with the NCCIC. Participants not only receive DHS-developed indicators, but can share indicators that they have observed, which DHS will share with all AIS participants.

Participants that share indicators through AIS are not identified as the source to other participants unless they consent to the disclosure. In other words, indicator contributions are anonymous unless you want DHS to share your name.

With information sharing, there are three key characteristics: volume (lots of indicators), velocity (speed of sharing), and validation. Unfortunately, you can only ever get two out of three. In this case, the NCCIC has heard from you that you want a lot of information from the government, and you want it as soon as it is discovered, so AIS focuses on volume and velocity. Moreover, you will validate the indicators yourselves anyway, so you do not need the delay of DHS also validating them. That being said, when the government has useful information about an indicator, the NCCIC will assign a risk score to provide context to our customers.

CISA also provides AIS participants with legal protections. Companies that submit indicators through AIS in accordance with the requirements set forth in CISA receive liability protection. Indicators submitted through AIS are exempt from federal, state, tribal, and local disclosure laws, including the Freedom of Information Act, federal antitrust laws, and federal and state regulatory use. DHS has also taken careful measures to ensure that appropriate privacy and civil liberty protections are fully implemented in AIS and regularly tested. If you’re uncomfortable sharing indicators directly with the government, you can join a participating non-federal entity that can share indicators with DHS on your behalf.

DHS is helping companies across America connect with AIS and is grateful for its collaboration with the U.S. Chamber of Commerce to promote participation in AIS with the business community across the country. We launched AIS with a small number of participating companies and federal agencies and have been deliberately growing AIS at a steady pace. As we continue to add more participants, we will also continue to improve the service and add value.

Participation in AIS is an opportunity to make the lives of malicious actors more difficult and costly. As the number of actionable indicators shared through AIS grows, organizations’ ability to block attacks will improve. AIS won’t eliminate sophisticated threats, but it will free up resources so that organizations can focus on them. The only way AIS will be successful is if more companies share indicators with DHS. Working together, our organizations believe that we can help protect the public and private sectors from a wide variety of cyber threats and reduce network intrusions.

For more information about AIS, visit www.dhs.gov/ais or www.us-cert.gov/ais. For more information on the Chamber’s cybersecurity campaign, visit www.cybersecurityadvocacy.com