Automated Indicator Sharing is a Cyber Boon

By Zach Donisch, Director, AEHIS, AEHIT, AEHIA Membership

In 2016, the Department of Homeland Security redesigned their Automated Indicator Sharing (AIS) program, touting it as an opportunity for a public-private partnership between organizations tracking and responding to targeted cyber threats and government organizations monitoring larger global cyber threats.

This formalized and expanded AIS program as laid out by the Department of Homeland Security would provide data points and indicators for organizations to quickly detect and neutralize known bad actors. According to the AIS website, “AIS leverages industry standards for machine-to-machine communication called STIX and TAXII. DHS initiated the development of these standards in 2012 and licensed them to the OASIS standards body in 2015 for their future continued evolution.” Anticipating concerns from the private sector, former DHS Homeland Security Secretary Jeh Johnson laid out the newly added layers of privacy protections in the AIS system in a statement introducing Automated Indicator Sharing, stating that “companies are required to remove personal information before sharing cyber threat indicators and DHS is required to and has implemented its own process to conduct a privacy review of received information.”

Despite these efforts, the AIS program is not without its criticisms. Small, rural, or critical access healthcare organizations have a significant burden compared to larger organizations when asked to participate in these kinds of programs because of their limited access to resources. Mitchell Parker, chief information security officer for Indiana University Health and AEHIS member, spoke to the significant challenges smaller organizations share when attempting to implement these solutions. “As shown by the VPNFilter and Mirai malware outbreaks … there are a lot of routers and Internet Access devices in use that do not get security updates. If we can’t protect these, how can we expect them to participate in AIS? … While it is very good that this program exists, we need to be more proscriptive with providers who do not have the resources to make purchasing decisions that larger providers can.”

Additionally, the general sentiment among many in the private sector is that current law and regulations are too punitive toward breaches, leading to an unwillingness to disclose information about bad actors or to come forward in response to breaches. This difficulty was highlighted by former FBI Director James Comey in his remarks at the 2016 Symantec Government Symposium: “We have to work better with the private sector to address these threats. All the information, all the evidence we need, sits in private hands in the United States—and that is a wonderful thing. But it’s an enormous challenge. We have discovered that the majority of our private partners do not turn to law enforcement when they face an intrusion.”

In addition to limited information sharing from the public sector, Department of Homeland Security and FBI officials utilized AIS to publish information contained in the Grizzly Steppe report, a list of known bad actors from Russian civilian and military intelligence services. The dataset released within the report lacked accurate context to help organizations fight against a certain threat, and instead provided only names of malware tools, group names and capabilities. Noted cybersecurity expert Robert M. Lee, founder of Dragos, Inc., remarked in a blog post that the report “only added confusion as to whether the DHS/FBI knows what they are doing or if they are instead just telling teams in the government ‘contribute anything you have that has been affiliated with Russian activity’.”

Despite significant challenges in winning over the private sector, both AEHIS Board Chair Erik Decker and Parker believe strongly that the AIS program holds a substantial benefit for those who participate. Parker offered a final vote of confidence toward the Department of Homeland Security’s AIS program, calling it “an excellent program and a good attempt to bridge the gap between the federal government and private industry.” The hope is that through resources such as the National Health Information Sharing and Analysis Center (NH-ISAC) and other information sharing resources, healthcare organizations are better prepared to face common enemies and bad actors.

For more information on automated indicator sharing, visit

More AEHIS News

CHIME Advocacy Summit – by Chris Cook, Vice President, AEHIS, AEHIT, AEHIA

AEHIS Board Chair Erik Decker Talks Cyber Preparedness to Congress – By Leslie Krigstein, Vice President, Legislative Affairs, and Chris Cook, Vice President, AEHIS, AEHIT, AEHIA

Transforming Healthcare Information Security, One Episode at a Time – by Zach Donisch, Director, AEHIS, AEHIT, AEHIA Membership

AEHIS Fall Summit Preview – Sriram Bharadwaj, AEHIS Fall Summit Planning Committee Chair