By Sandra I. Erwin
Weapons manufacturers and thousands of other Pentagon contractors are responsible for protecting much of the military’s most sensitive data.
But the Defense Department of late has lost confidence in industry’s ability to secure its intellectual property from cyber theft. It also has recognized that the government has limited technological tools to protect industry-held data.
So the Pentagon is now asking companies to voluntarily sign up for data-security programs offered by Internet service providers such as Verizon and AT&T.
This new approach to protecting defense industry data is the latest twist in a cybersecurity pilot program that began four years ago when the Pentagon asked companies to voluntarily share information about network intrusions and malware attacks.
In exchange for volunteering details about cyber intrusions, the government would analyze the malware and send back to industry valuable intelligence on the source and scope of the hacking.
Over the past four years, 36 companies have signed up for the exchange program.
But that is hardly enough, considering that there is an estimated pool of 8,000 companies that are believed to be eligible for this program.
The number was calculated based on how many companies have employees and facilities cleared for classified work, said the Pentagon’s Deputy Chief Information Officer for Cybersecurity Richard Hale.
The Pentagon would like to see at least 1,000 companies join the so-called “Defense Industrial Base Cyber Security/ Information Assurance” program, Hale said in a May 14 conference call with defense journalists and bloggers.
In an extraordinary move, the Pentagon last week announced it is expanding the program to allow commercial Internet Service Providers, or ISPs, to offer cybersecurity services to participating defense contractors. The expanded information-assurance program is called Defense Industrial Base Enhanced Cyber security Services.
The Defense Department agreed to provide classified and unclassified “threat signatures” to three commercial ISPs so they could develop security tools that they could sell to defense contractors in a fee-for-service arrangement.
Hale said he could not discuss the cost of the ISP services, and stressed that it was entirely up to each defense firm to decide whether to sign up for the services.
Since the May 11 announcement that the program is being expanded, more than 250 companies have expressed interest, Hale said.
“We are starting to see responses,” he said. “We think there’s pent-up demand for participation. But it’s too early to tell how many companies are going to join.”
The Pentagon concluded that it made sense to use ISPs — which have access to advanced cybersecurity tools — to provide network protection services to defense contractors. The alternative would be to have to share classified information with the contractors and expect them to use that data to build their own cybersecurity systems, said Hale.
Eric Rosenbach, deputy assistant secretary of defense for cyber policy, said the three ISPs that so far were approved for the program had to meet stringent security requirements and had to invest their own money in building the highly classified infrastructure and technology that is needed to protect defense industry networks.
“The defense industrial base faces unrelenting attacks from sophisticated actors who are trying to steal intellectual property and sensitive defense information,” he said. “We want to do something to address that. … Firms may not be necessarily equipped to defend against those threats.”
The Pentagon is asking defense firms to consider using ISP’s services, but has no say in what ISPs charge.
“We don’t know how they [ISPs] are profiting or if they’re profiting,” he said. From the Defense Department’s perspective, “They’re addressing a need, and it doesn’t cost the government any research and development dollars.”
This marks a significant change in the Defense Department’s cybersecurity business model, he said. “It’s a new type of collaboration between government and the private sector.” The fee-for service arrangement is not a “silver bullet,” but it’s one way to deal with growing risks of cyber attacks, said Rosenbach.
Because ISPs are commercial firms, their cybersecurity programs fall under the bailiwick of the Department of Homeland Security. Since the launch of the defense industry effort, said Rosenbach, Defense and DHS have dramatically increased collaboration. “Trust has improved over the course of the program,” he said. “We’re working closely.”
DHS’ capacity has “improved dramatically,” he said. “They get an unfair bad rap in cybersecurity.”
To assuage privacy concerns, the Pentagon had the Justice Department and several government experts review the defense industrial base program. Rosenbach insisted that any information provided by industry is shared on a voluntary basis.
“It seems unbelievable to some folks who haven’t spent a lot of time in this space that firms don’t have to necessarily report that they’ve been hacked.”
In the four years since the program has been running, “We built trust,” said Hale. “Companies have reported voluntarily. They got value back. … Their defenses improved the more they reported.
Hale noted that the defense industry program is only one piece of the larger U.S. government cybersecurity apparatus.
“We don’t know how to defeat the cyber threat yet” but this project is one step in that direction, he said.