Hacker-Threat Sharing Has Companies Waiting Amid Breaches
President Barack Obama’s plan to protect the U.S. from hackers was supposed to let more companies access classified data on computer threats so banks, utilities and other targets would be able to boost their cybersecurity.
Fourteen months later, it hasn’t happened.
While Lockheed Martin Corp. (LMT), Raytheon Co. (RTN) and 16 other companies have been tentatively approved to participate in the data-sharing program, they remain mired in the red tape of getting government approval to handle the classified data.
The delay in the Enhanced Cybersecurity Services program comes amid an increase in computer breaches that a recent survey shows could have been prevented. High-profile hacking attacks have included stolen credit-card data from Target Corp. in December and attempts last year to knock the websites offline for JPMorgan Chase & Co. and other banks.
“There’s a lot of information in the security world that should be known to others,” said Lars Harvey, chief executive officer of Internet Identity, a Tacoma, Washington-based organization that promotes the sharing of cybersecurity intelligence. “We need to speed up what we’re doing.”
About 71 percent of security experts say there should be a better way to share threat intelligence and 61 percent say doing so could have prevented a cyber-attack their company experienced, according to a survey released yesterday by the Ponemon Institute, a consulting company based in Traverse City, Michigan. Ponemon didn’t identify the companies surveyed.
The Enhanced Cybersecurity Services program was created in 2012 and let two companies, AT&T Inc. (T) and CenturyLink Inc. (CTL), use classified computer-threat data to sell security services to a list of approved companies that operate critical infrastructure. After Obama issued an executive order in February 2013 to expand the program, the Department of Homeland Security signed agreements with other companies seeking to be service providers.
In addition to the companies that will access the data, the department also must approve the companies that can buy the services from the providers. To date, DHS has approved 40 out of potentially thousands of companies that operate vital computer networks.
The approved companies work in the communications, energy and defense industries, according to a DHS official, who asked not to be named because they weren’t authorized to discuss the matter publicly. There are 14 other companies in the process of validation, including those that work in the chemical, financial and information-technology industries, the official said.
The program has been touted as an essential way to share cyberthreat data amid repeated warnings by U.S. Director of National Intelligence James Clapper and other Obama administration officials that hacking attacks on American companies have grown increasingly sophisticated and dangerous.
“Conceptually it’s a great idea,” said William Anderson, director of The Infrastructure Security Partnership, a coalition created after the Sept. 11, 2001, terrorist attacks. “I can understand why they would be holding off as long as they don’t have the assurance that the electronic sharing of the information is secure and done appropriately.”
Companies wanting to be service providers must have personnel with top secret security clearances and facilities to accept and handle classified data about malicious hacking threats, according to agreements signed by Lockheed and Raytheon with DHS that were obtained by Bloomberg News through a Freedom of Information Act request.
DHS said it “continues to work closely with our public and private sector partners” to expand the program. The arrangement “is a voluntary initiative intended to augment, not replace, existing security services operated by or available to critical infrastructure companies while protecting privacy and civil liberties,” DHS said in a statement.
The DHS official said information about hacking threats is also shared with companies through other programs.
The number of hacking attacks on computer networks around the world rose to 1.7 billion last year from 1.6 billion in 2012, according to a report from the Moscow-based Kaspersky Lab.
Lockheed, the world’s largest defense contractor, is in the process of demonstrating that its system can use and protect both classified and unclassified threat information, said Rich Mahler, director of commercial cybersecurity solutions for the company.
“The overall schedule was driven by the engineering required to design, procure, build, test and accredit the system to ensure that we protect classified intelligence while securing our clients networks,” he said in a telephone interview. “Approving the integration of our unclassified security process with ECS has required additional government validation.”
Lockheed is testing its system, which will be followed by independent validation by DHS, Mahler said. The Bethesda, Maryland-based company expects to win approval by July, he said.
Expanding the program also has been stymied by the partial federal-government shutdown in October, leadership changes within DHS and spending constraints imposed by Congress, said Jack Donnelly, director of global cybersecurity solutions for Waltham, Massachusetts-based Raytheon.
The leadership changes included Senate confirmation of Jeh Johnson as DHS secretary in December to replace Janet Napolitano, followed by confirmation of a new deputy secretary.
Raytheon is in the process of having its system and facilities certified by the department, Donnelly said in a phone interview. He declined to say when final approval might be given.
The inclusion of Lockheed and Raytheon in the program means that defense contractors will compete directly with traditional Internet service providers to sell hacking defense services. There are potentially thousands of customers, Donnelly said.
“We are competing to put advance capabilities up as fast as we possibly can,” he said.
CenturyLink is seeing “strong interest” in the program from companies finding value in it and expects continued growth, Diana Gowen, the company’s senior vice president and general manager, said in an e-mailed statement.
Anderson, with The Infrastructure Security Partnership, said members of his coalition have been wondering why the program isn’t being promoted very much. He said members want information about how it operates and he has contacted the department about helping to raise awareness of the effort.
Sixty-seven percent of the people in the Ponemon survey cited the need for a computer-automated system to exchange intelligence, which the Enhanced Cybersecurity Services program is intended to provide.
“Everybody has an interest in it,” Anderson said. The program hasn’t been promoted “long enough or well enough that we see a difference in the number of organizations applying to become a part of it.”
To contact the reporter on this story: Chris Strohm in Washington at firstname.lastname@example.org
To contact the editors responsible for this story: Bernard Kohn at email@example.com Elizabeth Wasserman, Romaine Bostick