DHS looks to upgrade flagging info sharing program

A senior Department of Homeland Security official said a flagging cybersecurity information sharing program will be getting a facelift to improve quality and facilitate more complex defensive actions.

The Automated Indicator Sharing program, which facilitates the sharing of threat indicators between the federal government and private sector, was originally envisioned as a crucial tool to achieve broader visibility around malicious cyber activity and more quickly respond to emerging threats. However, the program has never gained the level of traction with private sector groups that policymakers in Congress and at DHS originally hoped for. In particular, while many companies are happy to receive information from DHS, only a handful were actually sharing information back with the government as of last year, per reporting from Nextgov.

Jeanette Manfra, the assistant director for cybersecurity and communications at the Cybersecurity and Infrastructure Security Agency at DHS, said her agency has been able to make significant progress in recent years to increase collaboration with companies and other federal agencies through more analog means -- such as conversation and relationship building. However, when it comes to automated programs like AIS, it's "going to take a lot more work to build trust into the system," she said.

"When we start talking about automation, you really have to get into the weeds with your partner and have honest conversations," Manfra said at a Sept. 5 Intelligence National Security Alliance event in Washington D.C. "I don't need to you to just automate the ingest, I need you to automate the actual actions and I need it to start to spread to as many people as possible so that we're all blocking whatever it is that one person put in there."

Sharing information was supposed to be just the first link in the AIS chain -- something that would facilitate broader automated actions to identify and close off certain vulnerabilities before they started to get exploited by bad actors at scale. Getting to that stage turned out to be far more complicated than program creators realized.

"Everybody sort of went into it with this [idea that] we have to do things at machine speed, cyber speed, super-fast and real time, and if we just find a way to automate indicators we'll get rid of all this noise that everybody has to deal with and focus on the really hard problems," Manfra said. "But if you think about it, if I'm delivering a feed…to hundreds of organizations, the amount of trust that organization has to have in my feed to automate not just the ingest but the actual blocking action – that's a lot of trust."

One of the other enduring complaints from companies has been that the data they receive from AIS is incomplete, lacking critical context or otherwise of limited use. In an interview following her appearance, Manfra told FCW that after hearing feedback from participants, CISA is looking to revamp the program in the future to address some of those concerns.

"I think what we’re going to do is we will probably start differentiating more feeds, so it's not going to be a one size fits all," she said. "It was originally intended to not have much human [presence] in the loop…but garbage-in garbage-out is always a risk there. So there will probably be less quantity and higher confidence and higher quality, because that's most of the feedback we've gotten. [We've heard] 'if it's coming from the government, we're happy to trust it but we want to know that this is no kidding the most important stuff.'"