CISA to modernize cyber threat information sharing approach for enhanced security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified this week that as the cyber threat environment evolves, so must the agency’s capabilities to analyze and share cyber threat information. In light of this, CISA will begin a two-year strategic effort to modernize its approach to enterprise cyber threat information sharing in 2024 ‘to maximize value to our partners and keep pace with a changing threat environment.’

About a decade ago, CISA rolled out its Automated Indicator Sharing, or AIS, program to exchange machine-readable cyber threat information. When the AIS program was first designed, the government was focused on filling an identified gap in cyber threat intelligence for many organizations and ensuring strong privacy controls. In the early days of AIS, the priority was speed. 

However, a decade later, the cybersecurity industry has matured substantially; current products and services are addressing information requirements for most organizations and, in an era of information overload, practitioners still require speed but value context, precision, and tailored insights over volume and velocity alone.

Michael Duffy, associate director at CISA wrote in a recent blog post that the agency evaluates the cyber threat environment, considers the impact of known vulnerabilities, and assesses the defensive posture of entities across the U.S. to determine how we can most effectively safeguard critical infrastructure and government networks. “Our insight is derived from a variety of sources to include classified and open-source reporting; operational collaboration with government and industry partners; findings from CISA assessments and incident response; and from information shared by members of our broad cybersecurity community through  mechanisms such as AIS.”

Duffy added that the CISA then translates these insights into timely and relevant information. “We share information broadly on a global scale, through alerts, advisories, and our Known Exploited Vulnerabilities catalog. We enrich our shared services and cyber capabilities with cyber threat information (CTI). And, we leverage these insights to design and prioritize new cyber capabilities for programs such as Continuous Diagnostics and Mitigation (CDM). Across the board, CISA incorporates our unique insights of the global cyber threat environment into everything we offer to provide value to our partners.”

While these threat-informed products and capabilities are important to many of the agency’s stakeholders, “we know that organizations also benefit from receiving cyber threat information to shape investment decisions and prioritize mitigation actions. It is not enough to monitor broad cyber threats generally;  organizations must apply threat information to their own risk and technology environments,” Duffy noted.

In 2024, CISA will begin a strategic effort to modernize its approach to cyber threat information sharing, Duffy revealed. This effort will drive three key areas of progress, including simplification, partner-centered design, and learning from experience. 

When it comes to simplification, CISA will refocus and consolidate customer-facing cyber threat intelligence offerings under a new initiative called Threat Intelligence Enterprise Services (TIES). The TIES Exchange Platform will unify CISA’s information-sharing capabilities under a single banner for federal agencies and certain user communities, enabling the streamlined provision of cyber threat information from our partners and commercial sources. This will offer a common view which will facilitate communications and enable threat-specific engagement. 

As CISA designs and implements this central solution, it is working in parallel to modernize our AIS capability which, in the future, will further complement CISA-curated threat feeds made available by this shared service platform.

Throughout the process, Duffy identified that the CISA will be driven by the requirements of its partners, including federal agencies, critical infrastructure organizations, and state, local, tribal, and territorial governments, “to ensure that we are adding value rather than duplicating capabilities. We will continuously seek feedback and ensure that the platform itself is built around human-centered design principles to enable ease of use even for under-resourced organizations.”

He also added that CISA will rigorously learn from known challenges with the legacy AIS system. “We know that it must be easy to both share and receive, that shared information must have sufficient context to enable prioritized action; and that every participant must recognize meaningful value that is additive to existing cybersecurity capabilities. At the same time, we will build upon the successes of the AIS program, including a rigorous focus on privacy and confidentiality by design.”

Looking forward, Duffy detailed that the CISA’s goal is to facilitate collective, automated cyber defense through increased sharing and context, shaped by an acute understanding of the threat environment. “While CISA implements this transition over the next two years, the AIS program will remain available, and we encourage users to continue leveraging this capability and actively share indicators back with CISA,” he added.

“Our shared visibility into cyber threats is our best defense. When an organization identifies threat activity and keeps it to itself, our adversaries win. When we rapidly share actionable information across a community of partners, we take back the advantage,” according to Duffy. “And, when we turn actionable information into strategic investments to drive the most important mitigations, we achieve enduring change. In this new year, we encourage every organization to make a commitment- perhaps a New Year’s resolution- to cybersecurity information sharing, including incident information, indicators of compromise, or even feedback and insights that could benefit peers across the Nation.”

This week, CISA published a Request for Information from interested parties on secure-by-design software practices, including the agency’s latest document on ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software’ whitepaper. The agency’s move is part of an ongoing global campaign promoting secure-by-design practices. It urges software manufacturers to take immediate action to ensure that their products are secure by design.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.