So far the Department of Homeland Security (DHS) has shown limited progress in getting the private sector to participate in a new automated cyber threat information sharing system that officially went on line in mid-March and the department on June 9 hosted an outreach session with stakeholders to better educate them about the ease and benefits of joining its Automated Indicator Sharing (AIS) system.
There are about 30 to 35 companies and other private entities currently hooked up to the AIS server and a “handful a week” are joining, Andy Ozment, assistant secretary for the DHS Office of Cybersecurity and Communications, said at a workshop his office hosted on the implementation of a new law aimed at turning on the AIS capability and incentivizing the private sector to voluntarily share cyber threat indicators with DHS and each other.
Preston Wentz, who works in Ozment’s office, said later in the workshop that more than 100 private sector entities have started the process leading to participating in the AIS program. Ozment described the progress so far with the private sector “great.”
However, the numbers Ozment and Wentz supplied are about the same as the department mentioned in late May. Still, they are about double the numbers from early May.
Ozment said that DHS doesn’t have the “capacity” to onboard 100 percent of the United States economy overnight on AIS. He sees adoption of AIS by the private sector until it has broad reach.
The AIS capability allows near-real time sharing among participants of cyber threat indicators that are appearing on their respective networks. The sharing of these indicators can help network defense systems see potential threats that they weren’t previously aware of.
The almost instantaneous sharing of threat indicators is enabled by relatively new standards at machine speeds, which are necessary to combat the millions of indicators that some networks see in a day or less, officials at the workshop said.
Adversaries are completely automated and trying to combat them with additional manpower won’t win the day, said Dewan Chowdhury, an official with the energy company Pepco Holdings. Automation is critical to countering cyber attackers, he said.
Chowdhury also said that currently the threat indicators Pepco receives through AIS are ones seen by the federal government, not by other companies. He said the culture in industry is “everyone wants to receive; no one wants to share.” Pepco lawyers for six to seven months wrestled with the question of whether to share threat indicators due to concerns over reputation but Chowdhury and Ozment both pointed out that the benefits of seeing threat indicators need to be factored in alongside the risk side of the equation.
The recent spate of high profile ransomware attack, where an organization’s computer systems or key files are hijacked until it agrees to pay ransom for the key to unlock the files, has woken up the private sector to the importance of sharing threat data, Chowdhury said.
The AIS system isn’t the only way DHS shares cyber threat information with the private sector and enables the private sector to share with themselves. The department already has the Cyber Information Sharing and Collaboration Program, which has more than 150 participants, and allows for more face-to-face sharing between DHS and industry and between industry participants.
Chowdhury said the CISCP program has been an excellent source of information sharing for Pepco.
DHS also provides contextual sharing around cyber threat data via other portals.
Ozment described an “iron triangle” of cyber threat indicators, which consists of volume, validated and velocity. He said the private sector is interested in velocity and volume and will take care of the validation itself, “so that’s what we’re focusing on right now.”
DHS won’t validate every threat indicator it sees so “if somebody passes us garbage, we may pass it on straight to you unless we can very rapidly and in an automated way tell that it is garbage,” Ozment said.
Industry’s approach means that most companies are probably focusing on intrusion detection not prevention, which means alarms will go off and will be investigated for a threat or false alarm.