The Cybersecurity Act of 2015 Series: Automated Indicator Sharing (AIS)

 Posted by Shivan MehtaOn March 17, 2016, the Department of Homeland Security (DHS) announced that its AIS information portal is “open for business,” and designated the National Cybersecurity and Communications Integration Center (NCCIC) as the cyber hub for private entities to share threat information.  The DHS created the AIS initiative to enable federal and private entities to share cyber threats efficiently.  Specifically, the AIS program provides an automated portal that receives, processes, and disseminates cyber threat information in real-time.  There are three main components of the AIS initiative: (1) Participation and Submission of Cyber Threat Information; (2) Removal of Personal Information; and, (3) Dissemination of Cyber Threat Information.Participation and Submission of Cyber Threat InformationBoth federal (e.g., Dept. of Commerce, DHS, Dept. of Defense, etc.) and private entities may participate in the AIS initiative.  Private entities may join the AIS system only after the entity has signed and agreed to the Terms-of-Use (“Terms”) created by the DHS.  These Terms describe the types of information that can be submitted, who has access to the information, and how the information is protected. The AIS system uses a platform called the Trusted Automated eXchange of Indicator Information (TAXII), and information is transmitted through the platform in a very specific language called Structured Threat Information eXchange (STIX).  Once participants acquire their own TAXII client, they can communicate with the DHS TAXII server and send/receive cyber threat information via the STIX computer language.Review and Removal of Personal InformationAs stated in the prior blog post, each participant must remove certain types of personal information from cyber threat information before submitting the information to the DHS.  But the AIS program contains a built-in profile to standardize the received information.  This profile allows the system to analyze all fields of the information and to delete prohibited or unnecessary items (e.g., unrelated personally identifiable information).  Further, if the system cannot detect or understand a particular field, it sends a trigger for human review to provide another layer of data protection.Dissemination of Cyber Threat Information Participants that have signed the Terms and acquired their own TAXII client will receive cyber threat information from the NCCIC.  Participants will receive all threat information via the TAXII server.  Notably, the identity of the AIS participant submitting the threat information is revealed to other participants in the program only if that participant provides consent to the DHS.The AIS program is intended to mitigate cybersecurity threats throughout the nation.  The opening of the AIS portal is the first step toward achieving that goal.