Why is it so hard to sign up for the feds’ cyberthreat information sharing program?
A little more than a year since the Department of Homeland Security launched the Automated Indicator Sharing program, private sector adoption of the cyberthreat information service has been sluggish. Critics have said the data has problems with quality and timeliness. But some experts say there’s another — and perhaps more important — issue: For most companies, it’s just too darn hard to sign up.
One private sector executive who spoke to CyberScoop but asked for anonymity to preserve relationships at DHS, said company leaders “reared back hard” when they discovered what was involved in getting onboarded to AIS, which shares cyberthreat indicators gleaned from U.S. intelligence with the private sector.
“You have to negotiate a special deal, which means lawyers’ time. You have to buy and install special equipment … You need people working on it … When you add it all up, it was a six-figure proposition with no [return on investment] you can show on a balance sheet … Try explaining that the board,” said the executive.
DHS said last month that 129 companies and government agencies had signed up for AIS, after the department had touted the program as a scalable solution that thousands and thousands of enterprises could use. DHS defended that number by saying some subscribers were information sharing councils or security companies that would pass through the data to their own partners.
DHS has prioritized sheer numbers of indicators over timeliness and quality, Rep. Jim Langevin, D-R.I., said last week during a House Homeland Security committee hearing. He called the level of private sector participation in the AIS program “frankly unacceptable,” blaming DHS for sharing attack indicators that, he said, were “often late and lack important context.”
The legal agreement required is called a Cooperative Research and Development Agreement (CRADA); and the equipment consists of a server or servers that can handle the incoming indicator traffic. The traffic is in a special language called STIX (Structured Threat Information eXpression); and the server must run special software to decode it called TAXII (Trusted Automated eXchange of Indicator Information). If the organization wants to contribute threat indicators — as all AIS participants are encouraged to do — those have to processed into a STIX format and may need vetting by an analyst before they can be sent.
In a properly integrated cyberdefense system, cyberthreat indicators like IP addresses shared to an organization’s TAXII server can be loaded instantaneously into its security software and malicious email or software that includes the indicator will be instantly blocked.
But a former official who dealt with the issue at DHS said despite the promise of machine-to-machine communications, AIS was still moving at “government speed.”
“CRADA is an acquisition agreement that the department uses when it wants to look at some new technology,” said the former official who asked for anonymity to protect the sensibilities of current employers, “It’s designed to protect intellectual property but it’s kind of been repurposed for information sharing … Every company is different so you’re never going to have a standard deal.”
The cost is not reimbursable, the former official pointed out, and taking into account staffing costs, could amount to as much as a million dollars a year for a large enterprise.
“OK so that’s JP Morgan Chase or whoever, and the attitude [inside the government] is, ‘Well, they’ve got plenty of money,’ but that’s not how it works out here [in the private sector]. That has to come from someone’s budget. How do you justify it,” especially when the indicators are late or missing important context?
“There’s no doubt that the AIS program hasn’t provided the machine-to-machine capability that it was held out as doing,” added John Cohen, another former senior DHS official who worked information sharing issues at the department. “The number of folks who’ve signed up is frankly disappointing and when you only have a small group sharing that obviously diminishes the value” of the whole exercise.
“The prevailing sentiment among private sector cyber executives I talk to is that AIS is not adequate to meet the current threat,” added Cohen, who now teaches at Rutgers University.
The DHS press office did not respond by press time to a request for reaction and comment. At a conference last month, DHS Assistant Secretary for Cybersecurity and Communications Jeanette Manfra defended the AIS program to a gaggle of reporters, pointing out that it was scalable and enabled to kind of automation necessary to improve cyber defenses.
She said many of the technical issues with lack of context were being addressed in a new STIX version 2.0. DHS had invested heavily in the program, she added, and “over the next year … we’re really going to see a return on that investment.”