Twitter Facebook Google RSS
 
National Defense > Blog > Posts > DoD Taps Commercial Internet Providers to Help Protect Defense Industry Networks
DoD Taps Commercial Internet Providers to Help Protect Defense Industry Networks

By Sandra I. Erwin

Weapons manufacturers and thousands of other Pentagon contractors are responsible for protecting much of the military’s most sensitive data.

But the Defense Department of late has lost confidence in industry’s ability to secure its intellectual property from cyber theft. It also has recognized that the government has limited technological tools to protect industry-held data.

So the Pentagon is now asking companies to voluntarily sign up for data-security programs offered by Internet service providers such as Verizon and AT&T.

This new approach to protecting defense industry data is the latest twist in a cybersecurity pilot program that began four years ago when the Pentagon asked companies to voluntarily share information about network intrusions and malware attacks.

In exchange for volunteering details about cyber intrusions, the government would analyze the malware and send back to industry valuable intelligence on the source and scope of the hacking.

Over the past four years, 36 companies have signed up for the exchange program.

But that is hardly enough, considering that there is an estimated pool of 8,000 companies that are believed to be eligible for this program.

The number was calculated based on how many companies have employees and facilities cleared for classified work, said the Pentagon’s Deputy Chief Information Officer for Cybersecurity Richard Hale.

The Pentagon would like to see at least 1,000 companies join the so-called “Defense Industrial Base Cyber Security/ Information Assurance” program, Hale said in a May 14 conference call with defense journalists and bloggers.

In an extraordinary move, the Pentagon last week announced it is expanding the program to allow commercial Internet Service Providers, or ISPs, to offer cybersecurity services to participating defense contractors. The expanded information-assurance program is called Defense Industrial Base Enhanced Cyber security Services.

The Defense Department agreed to provide classified and unclassified “threat signatures” to three commercial ISPs so they could develop security tools that they could sell to defense contractors in a fee-for-service arrangement.

Hale said he could not discuss the cost of the ISP services, and stressed that it was entirely up to each defense firm to decide whether to sign up for the services.

Since the May 11 announcement that the program is being expanded, more than 250 companies have expressed interest, Hale said.

“We are starting to see responses,” he said. “We think there’s pent-up demand for participation. But it’s too early to tell how many companies are going to join.”

The Pentagon concluded that it made sense to use ISPs — which have access to advanced cybersecurity tools — to provide network protection services to defense contractors. The alternative would be to have to share classified information with the contractors and expect them to use that data to build their own cybersecurity systems, said Hale.

Eric Rosenbach, deputy assistant secretary of defense for cyber policy, said the three ISPs that so far were approved for the program had to meet stringent security requirements and had to invest their own money in building the highly classified infrastructure and technology that is needed to protect defense industry networks.

“The defense industrial base faces unrelenting attacks from sophisticated actors who are trying to steal intellectual property and sensitive defense information,” he said. “We want to do something to address that. … Firms may not be necessarily equipped to defend against those threats.”

The Pentagon is asking defense firms to consider using ISP’s services, but has no say in what ISPs charge.

“We don’t know how they [ISPs] are profiting or if they’re profiting,” he said. From the Defense Department’s perspective, “They’re addressing a need, and it doesn’t cost the government any research and development dollars.”

This marks a significant change in the Defense Department’s cybersecurity business model, he said. “It’s a new type of collaboration between government and the private sector.” The fee-for service arrangement is not a “silver bullet,” but it’s one way to deal with growing risks of cyber attacks, said Rosenbach.

Because ISPs are commercial firms, their cybersecurity programs fall under the bailiwick of the Department of Homeland Security. Since the launch of the defense industry effort, said Rosenbach, Defense and DHS have dramatically increased collaboration. “Trust has improved over the course of the program,” he said. “We’re working closely.”

DHS’ capacity has “improved dramatically,” he said. “They get an unfair bad rap in cybersecurity.”

To assuage privacy concerns, the Pentagon had the Justice Department and several government experts review the defense industrial base program. Rosenbach insisted that any information provided by industry is shared on a voluntary basis.

“It seems unbelievable to some folks who haven’t spent a lot of time in this space that firms don’t have to necessarily report that they’ve been hacked.”

In the four years since the program has been running, “We built trust,” said Hale. “Companies have reported voluntarily. They got value back. … Their defenses improved the more they reported.

Hale noted that the defense industry program is only one piece of the larger U.S. government cybersecurity apparatus.

“We don’t know how to defeat the cyber threat yet” but this project is one step in that direction, he said.

Comments

Re: DoD Taps Commercial Internet Providers to Help Protect Defense Industry Networks

Excellent article. raised two questions:  1-Is the Internet the only cost effective means to secure data? Need to develop alternatives. 2-There is a need to develop a Standard Cyber Threat Analysis(CTA) Format, which is acceptable  to DOD as well as the Defense Industry participants
Michael R Janay at 5/14/2012 10:19 PM

Re: DoD Taps Commercial Internet Providers to Help Protect Defense Industry Networks

This whole initiative is BS. Most of these methods of supposed programs are either grossly insufficient or are a way to get more control over people & their data, while not delivering on protection promises (see TPM & Clipper). Anyone that thinks the government wants our computers secure is a fool: their dual mission means they always need a backdoor. This is evidenced by the numerous attempts at backdooring our stuff, including recent keylogger proposals. (Which can't stop a Cablegate, I'll add.) Further, high assurance systems at EAL6/EAL7 level are still classified as munitions, making good ROI impossible.

The only way to stop these attacks isn't government "signatures," backdoors, TPM's, etc. It's simply good INFOSEC practices. Physical, personnel, PC, etc. security must be considered. Effective strategies to mitigate entire classes of attacks have existed for years, some free or close to it. Simply not getting done. Other approaches cost-effectively reduce risk or smooth out recovery. Govt investing into these things would be GREAT. They rarely do & in fact they killed off the high assurance market, as Bell shows in the paper below. So, rather than promoting high assurance systems (even medium), the govt actively promotes low assurance systems for the public. To IMPROVE our security? Doubt it. ;)

Bell Looking Back
http://selfless-security.offthisweek.com/presentations/Bell_LBA.pdf

Nick P
schneier.com blog
Nick P at 5/19/2012 1:14 PM

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Name: *

eMail *

Comment *

Title

Attachments

Name: *


eMail *


Comment *


 

Refresh
Please enter the text displayed in the image.
The picture contains 6 characters.

Characters *

  

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

 

 

Bookmark and Share