The nation’s top cyber agency said it has plans to revitalize a system used to share cybersecurity threat information after a government watchdog raised concerns about the program’s recent shortcomings.

On Friday, the Department of Homeland Security’s Office of the Inspector General published a report on Automated Indicator Sharing (AIS) — which was used to spread cyber threat intelligence and was mandated as part of a 2015 law.

The Cybersecurity and Infrastructure Security Agency (CISA), the agency in charge of AIS, was criticized in the report for steep declines in participation as well as missing information on the program’s funding. 

“The number of participants using AIS to share cyber threat information has declined to its lowest level since 2017. The overall number of AIS participants fell from 304 in CY 2020 to 135 in CY 2022,” the inspector general said. 

“Among other factors, overall participation in AIS declined because CISA did not have an outreach strategy to recruit and retain data producers. Concurrently, sharing of [cyber threat indicators] through AIS declined by 93 percent from CY 2020 to CY 2022.” 

The report notes that the decline in sharing occurred largely “because a key Federal agency” stopped sharing threat intelligence “due to unspecified security concerns with transferring information from its current system to AIS.”

The report did not specify the agency, and CISA did not respond to questions about why this occurred. 

The Cybersecurity Act of 2015 mandated that the Department of Homeland Security establish a capability and process for federal entities to receive cyber threat information from non-Federal entities. The voluntary process allows for public and private-sector entities to share cyber threat information with each other.

AIS, which is free to use, was created in 2016 and enables the real-time exchange of machine-readable threat intelligence that includes vulnerabilities, tactics used by hackers and more. 

But the report notes that “insufficient participation in AIS, along with the reduction in [cyber threat indicators], has impeded CISA’s ability to facilitate the sharing of cyber threats in real time.”

“Without explanation, CISA paused outreach efforts for promoting AIS in May 2022. CISA’s lack of outreach led to at least one major stakeholder being unaware of AIS,” the report said. “This stakeholder only became aware of the information-sharing capability by conducting its own research and contacting CISA directly to become a participant.”

The report said CISA was planning to create an “online marketplace” that would allow them to advertise AIS to data producers, but the agency reorganized its offices and never launched the marketplace.

The inspector general made attempts to interview senior leaders at CISA but were unsuccessful and never discovered the rationale behind why the agency decided to stop actively promoting AIS. 

The inspector general has released three reports examining AIS since it was created, finding over the years that the platform struggled due to the functionality of the tool, staffing inadequacies and more.  

CISA has previously faced backlash for its inconsistent threat sharing efforts. In June, an advisory committee demanded CISA make changes to a key public-private cybersecurity partnership after several unnamed participants complained to Politico that the initiative was “hampered by mismanagement,” slow to act on the tips provided and was not staffed with enough technical experts.

‘Alternative Approaches’

CISA also could not say how much it cost to upgrade and operate the AIS program “because it did not maintain expenditure data to readily allow auditing of AIS-related costs,” the OIG report said. 

The agency said it spent $31 million and $35 million in 2021 and 2022 respectively on information sharing capabilities but did not have a more detailed accounting of how that funding was used. 

“As a result, AIS stakeholders may be unable to identify and mitigate new cyber threats, potentially putting the Nation’s critical infrastructure at risk,” the investigators said. “Additionally, CISA’s inability to determine AIS costs limited our ability to identify whether taxpayer funds could have been put to better use.”

The report includes two recommendations that center on CISA director Jen Easterly developing and implementing plans to “actively recruit and retain Automated Indicator Sharing participants, including Federal data producers.”

They also suggest CISA maintain spending plans to document the future costs of the AIS program.

In a statement to Recorded Future News, a spokesperson for CISA said they concur with both recommendations and have already begun implementing them. Much of the statement is identical to what was in a letter sent by CISA to the inspector general in response to the report. 

“CISA is committed to strengthening the sharing of cyber threat information and improving documentation of future costs related to AIS,” the spokesperson said. 

“The agency is independently evaluating the AIS service, including exploring alternative approaches to its automated threat intelligence and information sharing capabilities that will align with the new long-term Threat Intelligence Enterprise Services strategy while remaining in compliance with CISA’s legal obligations.”

CISA’s letter to the inspector general, which was included in the report, said its Cybersecurity Division is leading the evaluation of the AIS service. The evaluation will eventually “culminate in a series of recommendations for CISA leadership consideration.” 

They estimate that this evaluation will be completed by July 31, 2025 and the spending plan will be created by December 31, 2024. 

The inspector general responded to this statement, noting that CISA did not mention implementing performance metrics in their response, forcing them to leave this issue unresolved until CISA provides further documentation. 

CISA has 90 days to provide follow-up responses to the inspector general.