The Pentagon predicts that as many as 1,000 defense contractors may join a voluntary effort to share classified information on cyber threats under an expansion of a first-ever initiative to protect computer networks.
Following a pilot program that involved 36 contractors and three of the biggest U.S. Internet providers, the Obama administration approved a rule letting the Pentagon enlist all contractors and Internet providers with security clearances in the information exchange, according to Eric Rosenbach, deputy assistant secretary of defense for cyber policy.
“This is an important milestone in voluntary information-sharing between government and industry,” Rosenbach said in an interview yesterday at the Pentagon. Richard Hale, the Pentagon’s deputy chief information officer for cybersecurity, said that 1,000 companies may participate.
If the Pentagon’s effort proves successful in safeguarding defense contractors from cyber attacks, the administration may enlarge the program to companies in 15 other critical infrastructure categories through the Department of Homeland Security, Rosenbach said.
Cyber threats facing the U.S. defense industry and its “unclassified information systems represent an unacceptable risk of compromise of DoD information and pose an imminent threat to U.S. national security and economic security interests,” according to the federal rule authorizing the expanded Department of Defense program.
Hackers in China
Information needs to be shared because hackers, especially in China, are accelerating efforts to penetrate computer networks such as those of defense contractors, Rear Admiral Samuel Cox, director of intelligence for U.S. Cyber Command, told reporters at a conference last month.
“Chinese capabilities in computer network operations have advanced sufficiently to pose genuine risk to U.S. military operations in the event of a conflict,” according to a March report by the U.S.-China Economic Security Review Commission, a group created by Congress to monitor China.
Using a secure portal called DIBnet, the Pentagon will provide both classified and unclassified information on cybersecurity threats, and defenses against them, to companies that have security clearances and agree to participate, according to Rosenbach and Hale.
“You are using special intelligence information derived somewhere else in the world to put into” cybersecurity, Rosenbach said in the interview. “So it is more active than simply waiting for an attack to come.”
Internet providers such as Verizon Communications Inc. and defense contractors including Lockheed Martin Corp. have said they participated in the pilot program and intended to continue in an expanded effort.
“We might share with the companies what kind of cyber attack trends we are seeing inside DoD -- if a particular kind of phishing attack, for instance, has become more prevalent,” Hale said.
Rosenbach said participants also may elect to join an “enhanced effort” under which the Defense Department will provide fixes for each type of threat to Internet providers and other eligible companies, which in turn will screen the network traffic flowing to the contractors. That initiative has been in testing for a year.
While the Pentagon initiative is based on voluntary information-sharing, President Barack Obama has threatened to veto legislation that also would encourage government and companies to share data voluntarily while giving business legal immunity for such exchanges. The measure passed the Republican-controlled House on April 26.
Instead, Obama has backed legislation in the Democratic-controlled Senate that would give the Department of Homeland Security authority to regulate the cybersecurity of vital systems such as power grids and transportation networks.
The Senate bill has “robust privacy protections, which the House bill lacks,” Caitlin Hayden, a White House spokeswoman, said in an e-mail. “The administration believes information sharing is an essential component of comprehensive legislative reform, but not alone sufficient to address the critical infrastructure vulnerabilities that threaten our nation’s security.”
Booz Allen, SAIC
Lockheed, based in Bethesda, Maryland, and New York-based Verizon have said they would take the Pentagon-provided information and offer a package of cybersecurity services for a fee to other contractors. The companies have said they are working to determine how much customers would have to pay for such services that draw on the U.S. intelligence.
Booz Allen Hamilton Holding Corp. and SAIC Inc., both based in McLean, Virginia, and Computer Sciences Corp., based in Falls Church, Virginia, participated in developing and running the cyber information-sharing program, according to Jason Wilson, an analyst with Bloomberg Government. In addition to Verizon, Internet providers AT&T Inc. and CenturyLink Inc., joined the pilot program.
Companies that choose not to participate won’t be penalized when bidding for defense contracts, Hale said. U.S. subsidiaries of foreign-owned contractors must have a security clearance to participate in the program, he said.
“The expansion of voluntary information-sharing between the department and the defense industrial base represents an important step forward in our ability to stay current with emerging cyber threats,” Ashton Carter, deputy defense secretary, said in an e-mailed statement.