Lockheed Martin Corp. and Raytheon Co. are vying with telecommunications companies to defend banks and power grids from computer attacks, in a program that gives them access to classified U.S. government data on cyber threats.
President Barack Obama’s Feb. 12 cybersecurity executive order authorized the Department of Homeland Security to let new companies get the government intelligence. Obama and U.S. officials have said sharing classified threat data with companies is essential to help prevent cyber-attacks that could cause deaths or economic disruption.
So far, the two defense contractors have signed up for DHS’s Enhanced Cybersecurity Services program, joining previous participants AT&T Inc. and CenturyLink Inc.
Under the program, the companies are provided -- free of charge -- computer threat “signatures,” such as timestamps and coding used in attacks, which have been obtained by the National Security Agency and other agencies. The companies can use this intelligence to strengthen cybersecurity services they sell to businesses that maintain critical infrastructure.
“The demand is there. I think the priority is there, and the threat is serious,” Steve Hawkins, vice president of information and security solutions for Raytheon, said in an interview.
Defense contractors like Raytheon view cybersecurity as a growing business as Pentagon spending stalls or declines on more traditional military programs, Hawkins said. Raytheon, of Waltham, Massachusetts, has acquired 12 companies specializing in cybersecurity since 2007, he said. The acquisitions include Greer, South Carolina-based Teligy Inc. in October, which specializes in wireless cyber protection, and Herndon, Virginia-based Trusted Computer Solutions Inc. in November 2010, which specializes in network security.
“We work with literally every organization across the government as well as many Fortune 500 companies,” Hawkins said. Raytheon now wants to “make cybersecurity affordable to medium- and small-sized businesses.”
The Homeland Security department determines which companies qualify as “commercial service providers.” To be eligible, companies must be able to safeguard classified information, have employees with security clearances, and be positioned to provide cybersecurity services to businesses, Darrell Durst, a vice president of cyber solutions at Bethesda, Maryland-based Lockheed said in an e-mail.
Lockheed, the nation’s largest contractor, already provides cybersecurity services to corporate and government clients and will use the new program “to offer additional cyber services to a broader set of customers,” Durst said.
Raytheon and Lockheed signed agreements with DHS within the past two weeks to join the program. So far, CenturyLink and Dallas-based AT&T, the biggest U.S. telephone carrier, are the only other approved providers.
“While it is a business opportunity, we also see it as vital to the continued economic vitality of the U.S.,” Diana Gowen, a senior vice president for Monroe, Louisiana-based CenturyLink, said in an e-mail.
The broader dissemination of cyber-threat data “in a controlled fashion is a good thing” and can “help assure that more companies have access to information for protecting their systems,” said Jessica Herrera-Flanigan, a partner with Monument Policy Group, a lobbying firm, and former Democratic staff director of the House Homeland Security Committee.
Defense contractors have worked with the Pentagon for years in using classified intelligence, and letting them “become involved more broadly with processing cyber threat information should aid in efforts to bolster the program,” Herrera-Flanigan said in an e-mail.
The creation of a market based on classified U.S. cyber threat data follows Congress’s failure in November to pass legislation requiring companies operating critical infrastructure to adopt cybersecurity standards.
Obama issued the executive order last month expanding DHS’s cybersecurity services program to boost protections for vital U.S. facilities, such as power grids, financial institutions and air-traffic control networks. DHS decides which infrastructure companies can contract with the cybersecurity providers, which can then use the government’s intelligence to scan their networks for the threat signatures and provide defenses.
There could eventually be dozens of commercial service providers from a variety of industries, Bruce McConnell, cybersecurity counselor at the Homeland Security Department, said in an interview. “I think you will see other companies get into this business,” he said.
Companies can get cyber threat information directly from DHS without using a commercial service provider if they have the proper security controls, McConnell said.
The commercial service providers can voluntarily share cybersecurity information with the government, according to Homeland Security.
Any data exchanged between government and service providers must be aggregated, anonymous and statistical, such as “the timestamp of the cyber event, the indicator that was involved, and the identification of the critical infrastructure sector of which the affected company is a member,” according to DHS.
Company names of victims or other identifiable information will not be shared, the department said.
The American Civil Liberties Union and other privacy groups have raised concerns in the past about companies sharing cybersecurity-related information with the government.
“A key question is how to balance the need for better, more timely cybersecurity information with other needs such as protection of privacy and civil rights as well as legitimate business and economic interests,” the Congressional Research Service wrote in a March 1 report, which was obtained and published by the Federation of American Sciences.