Experts Warn CISA’s Threat Sharing is in a 'Death Spiral'
US Cyber Defense Agency’s Flagship Threat Sharing Initiative Facing Major HurdlesThe United States' top cyber defense agency is struggling to maintain one of its flagship threat-sharing initiatives, according to a new watchdog report, with plummeting participation, security concerns and a lack of a recruitment strategy undermining its ability to protect critical infrastructure.
See Also: Definitive Guide to Navigate Your Enterprise Browser Landscape
A September report from the Department of Homeland Security Office of Inspector General found that participation in the Cybersecurity and Infrastructure Security Agency's Automated Indicator Sharing program has plummeted to its lowest level since 2017. The report attributed the decline to CISA's failure to maintain an outreach strategy and a lack of engagement with key stakeholders, resulting in a 93% drop in cyber threat indicators shared through the system.
The program, established by the 2015 Cybersecurity Act, facilitates real-time, automated exchanges of cyber threat indicators between the public and private sectors, allowing participants to share actionable intelligence on vulnerabilities, threat tactics and malicious activity. But experts told Information Security Media Group that the AIS program has been of "questionable utility" since its inception, suggesting it may require a complete overhaul - or even be scrapped altogether in favor of more effective, trusted threat-sharing initiatives that better meet the needs of government and industry.
"The threat intelligence sharing mission at CISA is critical and impactful, but AIS was not a meaningful contributor," Rex Booth, former chief of cyber threat analysis for CISA and CISO of the security firm SailPoint, told ISMG. Booth noted that his team at CISA put significant effort into coordinating with government sources to ensure threat intelligence flowed through the AIS platform but said "any number of factors" could have disrupted its operations, including connectivity issues, declassification hurdles or lapses in maintaining formal agreements.
"CISA and Congress need to consider whether this is a program worth continuing or whether its objectives are better met in other ways," Booth added.
CISA spearheads several threat sharing initiatives besides AIS, including the National Cyber Awareness System and the Joint Cyber Defense Collaborative, which aims to enhance cyber defense collaboration between government and private sector partners. These initiatives have similarly encountered criticisms, with CISA hinting at plans to overhaul the Joint Cyber Defense Collaborative earlier this year after experts warned the initiative was struggling due to vague membership criteria and participation challenges (see: CISA Planning JCDC Overhaul as Experts Criticize Slow Start).
CISA did not respond to requests for comment, but said in written responses to the IG report that it planned to complete an evaluation of the AIS service that will "culminate in a series of recommendations for CISA leadership consideration" by July 21, 2025. Experts called the timeline "disheartening" and urged CISA to expedite an overhaul of its operations under the new Threat Intelligence Enterprise Services initiative, which aims to provide more streamlined and tailored insights for participants.
AIS "has found itself in a death spiral with both producers and consumers of cyber indicators all pulling back," according to John Terrill, CISO at Phosphorus Security. "Fortunately, CISA knows this and can hopefully stop the bleeding and reboot this information sharing initiative with the new TIES program."
"The real question is what will TIES do differently to avoid the same fate as AIS," he added.
CISA acknowledged when announcing the new TIES program in 2023 that "the cybersecurity industry has matured substantially" since the early days of AIS and that practitioners require context and precision "over volume and velocity alone."
Auditors urged CISA Director Jen Easterly to develop strategies for improving federal participation in the program, highlighting that a key unnamed federal agency exited due to unspecified security concerns related to transferring its data into the system, which significantly contributed to the decline in participation. The inspector general also called on the agency to develop and maintain accurate spending plans for the program to help determine future costs.
The findings may not fully reflect CISA's impact on enhancing organizational resilience through cyber threat intelligence, said John Doyle, a SANS-certified instructor and consultant. Doyle said CISA actively collaborates with private sector partners to highlight the activities of various threat groups, particularly recent efforts targeting critical infrastructure by Chinese actors, including when the agency and Microsoft quickly released advisories on the Volt Typhoon group (see: US CISA Urges Preventative Actions Against Volt Typhoon).
"The OIG findings about AIS show just a fraction of the efforts that CISA is undertaking to help provide organizations' with business resilience," Doyle told ISMG. "This is something that we should consider as we try to holistically evaluate the organization's role in helping combat cyber threats and build organizational resilience."