If cyber threat sharing is a team sport, DHS needs more teammates

On Halloween, the Homeland Security Department’s Automated Indicator Sharing (AIS) program will turn two years old.

Back in 2015, then-Secretary Jeh Johnson celebrated the successful launch of the program to create a two-way secure sharing of cyber threats between government and industry.

Once the cake was cut and the confetti on the watch floor at the U.S. Computer Emergency Readiness Team (US-CERT) was swept up, the hard work really began to get industry to take part in the two-way sharing approach.

As DHS hits the two-year anniversary of AIS, the program continues to crawl forward.

Advertisement

John Felker, the director of the National Cybersecurity and Communications Integration Center (NCCIC) at DHS, said AIS is not going as well as the agency would like, but it is getting better.

Felker, who spoke on a panel at the Intelligence and National Security Summit, sponsored by AFCEA and the Intelligence and National Security Alliance (INSA) in Washington, said there are about 250 or so commercial organizations participating in AIS where most of the sharing is one way.

“A couple of those receive modes are big conglomerates like Information Sharing and Analysis Centers (ISACs) and private companies that have a significant reach into their customer base so that information is getting out there,” Felker said. “I think we need to think through what are you going to set in place as a trigger that causes automated action to occur and that is part of the next discussion.”

DHS signed up one agency last year to provide two-way sharing of cyber threat data. The first company, Anomali, is providing DHS with data like IP addresses, domain names, hash values and other indicators of compromise, Todd Helfrich, vice president of federal at Anomali, told Federal News Radio back in September 2016.

But DHS needs more than one or a few organizations to participate in two-way sharing. Federal systems make up 20 percent of all networks in the U.S., meaning that partnership and collaboration with the private-sector companies, who own the remaining 80 percent, is particularly important.

Congress tried to shore up any potential or real problems with two-way sharing by passing liability and safe harbor protections in the Cybersecurity Act of 2015.

Suzanne Spaulding, a former DHS undersecretary for the National Protection and Programs Directorate (NPPD), said at the conference the value of sharing threat information in milliseconds is better understood today than ever before.

“Where we still have work to do is gaining the trust of the private sector, that they can share their information with the government and not have to worry about liability, reputation harm or regulatory action coming after them. There still are concerns about victims being treated as bad guys. That is work we still have to do,” she said. “We, DHS, have a statutory authority to protect this information that is provided. Government needs to do a better job of getting that information out.”

Spaulding said DHS initially was satisfied with one-way sharing based on a central piece of its mission— getting threat data out to the private sector.

Felker said implementation of the second generation of threat-sharing standards, called STIX and TAXII — Structured Threat Information Expression (STIX) and the Trusted Automated Exchange of Indicator Information (TAXII) — will continue to make two-way sharing easier.

DHS launched STIX and TAXII 1.0 projects in March 2016, and since then has shared more than 277,000 unique threat indicators through AIS.

“STIX 2.0 is part of the answer. There are some new elements in 2.0 that will be very helpful,” Felker said. “It’s sharing on a different platform so it’s more robust than XML, it’s JSON, and so that will be a big help.”

He said STIX 2.0 will have context and a better way to qualify the threats of the indicators as well as the quality of the source to help organizations make risk decisions.

Felker said DHS will begin to implement STIX 2.0 over the next year.

Felker said DHS understands that information sharing is a team sport and brings the ability to share threat indicators rapidly and across a broad swath of organizations.

“Part of the problem with the formatting is we had to go through a lot of testing to make sure the data that is going out is valid and it’s not going to create a whole lot of false positives. In each case, we do that with some rigor for each of the partners,” he said. “With a couple of the big companies that we are playing with now, that already has been accomplished and we continue to improve that process.”

Felker said the future goal is to get to a place where private-sector partners could ingest the threat indicators and automatically patch or block their systems.

Return to the Reporter’s Notebook