CISA’s outreach issues hinder threat-sharing service, watchdog says
A service created by the Cybersecurity and Infrastructure Security Agency to spur the sharing of cyber threat indicators and defensive measures is floundering due to a lack of outreach, according to a new watchdog report.
The Department of Homeland Security’s Office of Inspector General found that the use of CISA’s Automated Indicator Sharing (AIS) has fallen to its lowest level since 2017, with a 93% decline in the sharing of cyber threat indicators from 2020 to 2022.
CISA partially attributed that drop to an “incoming federal partner” that stopped sharing information due to “unspecified security concerns with transferring information from its current system to AIS.” However, the OIG found fault with the cyber agency for not having “an outreach strategy to recruit and retain data producers,” going against a provision in the Cybersecurity Information Sharing Act of 2015 that called on the DHS secretary to facilitate and promote threat intel sharing.
“Without explanation, CISA paused outreach efforts for promoting AIS in May 2022,” the report stated. “CISA’s lack of outreach led to at least one major stakeholder being unaware of AIS. This stakeholder only became aware of the information-sharing capability by conducting its own research and contacting CISA directly to become a participant.”
CISA, which launched AIS in 2016, finished updates to the 2.0 version of the system in March 2022. Those updates, aimed at addressing limitations in information sharing, included a switch to a single portal for submissions, a feature to track the status of submissions, filtering functionality, and allowing submitters to remain anonymous.
The OIG found that CISA planned to “establish the Quality Service Management Office to create an online marketplace so CISA could advertise AIS to potential data producers,” but never made it to launch. The watchdog said it made “numerous unsuccessful attempts to interview CISA senior executive management” about the decision, but was ultimately unable to get to the bottom of the issue.
The OIG also flagged a decision by CISA management to stop drafting an external affairs guide meant to bolster outreach for AIS. That choice was due at least in part to the fact that the agency was working with inaccurate contract information for AIS participants, the watchdog noted.
The result of the lack of outreach by CISA was a precipitous fall in the federal collection of cyber threat indicators: from 9,484,158 in 2021 to 413,834 in 2022, a nearly 96% decrease.
To address the outreach issues, the OIG recommended that CISA “develop and implement a strategy and performance metrics to actively recruit and retain” AIS participants, including federal data producers. CISA concurred with the recommendation, noting that its Cybersecurity Division has commissioned an independent evaluation of AIS that includes the consideration of alternative information-sharing systems. The agency said it will deliver recommendations from its findings and communicate changes to participants as needed by July 31, 2025.
CISA also agreed with an OIG recommendation to have its director team with the agency’s chief information and chief financial officers to document future costs connected to AIS. That recommendation came out of the watchdog’s revelation that CISA “could not identify detailed FY 2021 and FY 2022 funding expenditures for the AIS capability.”
