• United States



Advancing cybersecurity through automated indicator sharing

Sep 27, 20164 mins
CyberattacksCybercrimeData Breach

As the number of cybersecurity incidents increase, both the government and the private sector have worked together to introduce an info-sharing program to help address the threats.

[Note: This article is coauthored by Ann Beauchesne and Dr. Andy Ozment. Ms. Beauchesne is Senior Vice President of the National Security and Emergency Preparedness Department at the U.S. Chamber of Commerce.]

Cyber attacks are increasing every day, and we’re constantly inundated by news reports detailing data breaches, ransomware attacks, and other system intrusions that cost businesses time and money and erode consumer confidence. Both the government and the private sector recognize the gravity of these incidents and are working together to address cyber threats through a novel information-sharing effort.

Last December, Congress passed the Cybersecurity Information Sharing Act of 2015 (CISA), which urges companies to share critical cyber threat information with each other and with the government in a timely manner. To facilitate this effort, the legislation required the Department of Homeland Security (DHS) to develop and deploy a system enabling the automated exchange of cyber threat indicators in real time. Under a tight deadline, DHS worked hard to start up an Automated Indicator Sharing (AIS) capability and meet all the requirements of the law. In March, 90 days after the passage of CISA, Secretary of Homeland Security Jeh Johnson certified AIS as fully operational.

AIS is the cornerstone of DHS’ effort to create an information-sharing ecosystem. The moment a company or federal agency observes an attempted compromise, indicators associated with that incident are shared in real time with our partners, protecting them from that particular threat. This means that adversaries can only use an attack once, which increases their costs and reduces the prevalence of cyber attacks. The goal is to commoditize cyber threat indicators through AIS so that tactical indicators are shared broadly among the public and private sectors.

There is no fee to join AIS. Participants in AIS connect to a DHS-managed system in the department’s National Cybersecurity and Communications Integration Center (NCCIC), which enables two-way sharing of cyber threat indicators. Businesses need a server to exchange indicators with the NCCIC. Participants not only receive DHS-developed indicators, but can share indicators that they have observed, which DHS will share with all AIS participants.

Participants that share indicators through AIS are not identified as the source to other participants unless they consent to the disclosure. In other words, indicator contributions are anonymous unless you want DHS to share your name.

With information sharing, there are three key characteristics: volume (lots of indicators), velocity (speed of sharing), and validation. Unfortunately, you can only ever get two out of three. In this case, the NCCIC has heard from you that you want a lot of information from the government, and you want it as soon as it is discovered, so AIS focuses on volume and velocity. Moreover, you will validate the indicators yourselves anyway, so you do not need the delay of DHS also validating them. That being said, when the government has useful information about an indicator, the NCCIC will assign a risk score to provide context to our customers.

CISA also provides AIS participants with legal protections. Companies that submit indicators through AIS in accordance with the requirements set forth in CISA receive liability protection. Indicators submitted through AIS are exempt from federal, state, tribal, and local disclosure laws, including the Freedom of Information Act, federal antitrust laws, and federal and state regulatory use. DHS has also taken careful measures to ensure that appropriate privacy and civil liberty protections are fully implemented in AIS and regularly tested. If you’re uncomfortable sharing indicators directly with the government, you can join a participating non-federal entity that can share indicators with DHS on your behalf.

DHS is helping companies across America connect with AIS and is grateful for its collaboration with the U.S. Chamber of Commerce to promote participation in AIS with the business community across the country. We launched AIS with a small number of participating companies and federal agencies and have been deliberately growing AIS at a steady pace. As we continue to add more participants, we will also continue to improve the service and add value.

Participation in AIS is an opportunity to make the lives of malicious actors more difficult and costly. As the number of actionable indicators shared through AIS grows, organizations’ ability to block attacks will improve. AIS won’t eliminate sophisticated threats, but it will free up resources so that organizations can focus on them. The only way AIS will be successful is if more companies share indicators with DHS. Working together, our organizations believe that we can help protect the public and private sectors from a wide variety of cyber threats and reduce network intrusions.

For more information about AIS, visit or For more information on the Chamber’s cybersecurity campaign, visit

Dr. Andy Ozment has worked in cybersecurity for almost twenty years as an operator, programmer, policymaker and executive. He is currently the Assistant Secretary for Cybersecurity and Communications at the Department of Homeland Security (DHS). In this role, Dr. Ozment is charged with protecting the government against cyber attacks and helping the private sector protect itself.

Dr. Ozment’s office helps its private sector and government customers by responding to incidents, sharing information, developing and promulgating best practices, and increasing our nation’s cybersecurity capacity. In leading this office, Dr. Ozment oversees a budget of more than $1 billion and leads a workforce of over 600 federal employees and several thousand support personnel.

At DHS, Dr. Ozment has led the U.S. government’s response to dozens of incidents in the government and private sector. During his tenure, his teams have been called in to find and remove the intruders at OPM and separately to travel to Ukraine to better understand and share information about the cyber attack that turned off power to over 200,000 customers. His team built and operates a classified, government-wide intrusion prevention system and is working with federal agencies to deploy endpoint monitoring solutions across millions of government computers. By establishing policy with clear metrics and holding agencies accountable, Dr. Ozment has driven a measurable decrease in the cyber risk faced by government agencies.

Prior to joining DHS, Dr. Ozment served at the White House as the President’s Senior Director for Cybersecurity where he led a team that developed national policy and coordinated federal cybersecurity efforts. He was responsible for the development and implementation of the President’s Executive Order 13636 on Improving Critical Infrastructure Cybersecurity. He then oversaw the resulting development of the NIST Cybersecurity Framework. Dr. Ozment also led the development of the National Strategy for Trusted Identities in Cyberspace, a signature initiative by the Administration to improve online authentication.

Before joining the White House, Dr. Ozment led an operational security group at DHS that oversaw compliance, metrics and security authorization for the Department’s Chief Information Security Officer. Previously, Dr. Ozment served in cybersecurity or technical roles with the Office of the Secretary of Defense, National Security Agency, Merrill Lynch and Nortel Networks.

Dr. Ozment earned a Bachelor of Science degree in Computer Science from Georgia Tech. While studying in the United Kingdom on a Marshall Scholarship, he earned a Master of Science degree in International Relations from the London School of Economics, and a Ph.D. in Computer Science from the University of Cambridge.

The opinions expressed in this blog are those of Dr. Andy Ozment and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author