Enrollment for threat sharing program continues to lag

The federal government has big plans for a public-private cybersecurity information exchange, if only it can get buy-in from the private sector.

Acting federal Chief Information Security Officer Grant Schneider told attendees at a Nov. 1 information sharing conference in Washington D.C. that the Trump administration believes the recently created Automated Indicator Sharing (AIS) program can be a linchpin of the government’s long-term strategy for protecting private and commercial industries from cyberattacks and data breaches.

“We feel, from an administration standpoint, that a big chunk of our future of being able to share threat and indicator information is going to be across the AIS platform,” said Schneider.

There’s just one problem: Virtually everyone who has visibility into the program has reported that not nearly enough organizations are signing up.

“It’s going to take a while for us to get [AIS] where we really need it to be,” said Schneider.

The AIS program allows for private-sector companies to quickly share real-time data around cybersecurity vulnerabilities and threat indicators with the government and other organizations attack. By proactively sharing information the government hopes to mitigate damage and better coordinate against large-scale cyberattacks.

After his speech, Schneider told FCW that discussions within the Department of Homeland Security were ongoing, but offered some insight into how the government might encourage more participation.

“For me, I would say we want to grow and enhance the capabilities [of AIS], we want it to be easier and simpler for both companies and agencies to consume information, to provide information and really get it into their environment in an actionable way,” he said.

Bridgette Walsh, deputy director of the cyber exercise program at the Department of Homeland Security, told the audience that the AIS program currently has approximately 130 non-federal organizations enrolled, and later told FCW that 22 of 23 CFO Act agencies are also signed up. She said she could not recall which agency had yet to enroll.

Walsh flagged two potential reasons for reluctance on the part of outside organizations to use the AIS program: lingering questions around potential legal liabilities and concerns about privacy and data protection. While the Cybersecurity Act of 2015 does provide liability protection for companies that share information across the platform, that protection has yet to be tested in the courts.

“One thing I will acknowledge we know is that there’s no case law for even the liability protection that was given through the Cybersecurity Act of 2015 for AIS,” said Walsh. “So I know that can make companies hesitant.”

Additionally, AIS allows firms to anonymously share data if they choose, but some organizations may worry about sensitive internal data leaking out to the greater public once it’s shared.

“I think DHS has been able to demonstrate that we will do everything in our power to protect what we’re given, and I think we’re trying to do that with all the authorities that we have for things like AIS and any other information that’s being shared,” said Walsh.

Walsh said that even though participation is below where the government wants it to be, the program has shared 1.3 million unique cybersecurity indicators across different industry sectors since it was stood up. She added that she has faith that enrollment will expand as organizations see the benefits and the government makes more targeted outreach efforts.

To that end, she said that in 2018 DHS would focus on recruiting Information Sharing and Analysis Centers and other organizations that will provide the greatest return on investment. Beyond that, the agency hopes the AIS program will eventually mature to the point that big banks and financial institutions sign up as well.