Defense contractors receive classified information on hacker threats

In response to an unprecedented wave of attacks on the Defense Department's computer networks, and possible theft of information about U.S. weapons systems by foreign governments, the Pentagon has quietly begun sharing classified intelligence about hackers and online threats with the country's biggest defense contractors.

The intelligence-sharing program began almost two years ago, after top Pentagon leaders realized that hackers were trying to steal information not just by breaking into government computers but also by going after corporations that contract with the government. These private computers and networks often contain the same sensitive and classified information found in the government's systems.

The new intelligence partnership, which has not been previously reported, is known as the Defense Industrial Base initiative, or "the DIB." The department formally launched the program in September 2007, but it took a year to work out a legal arrangement by which the contractors and the government could confidentially share information. In mid-2008, the effort ramped up after what was described as a hair-raising meeting in a secured facility at the Pentagon in which officials gave temporary security clearances to chief executives from the biggest defense firms and delivered a no-holds-barred briefing on the range of successful cyberattacks launched against the government and their companies. The executives "went in with dark hair and came out with white hair," said James Lewis, a prominent cyber-security expert and a fellow at the Center for Strategic and International Studies, who is familiar with the meeting. "I think that was a shocker for most people."

Weaknesses in corporate defenses can threaten top government secrets. Last month, The Wall Street Journal reported that cyber-spies targeted companies helping to build the Joint Strike Fighter and stole design information that could make it easier for adversaries to defend against the airplane. The paper reported that the breaches began as early as 2007 and perhaps continued into 2008, a period that generally coincides with the intelligence-sharing program's start-up.

Since then, Pentagon leaders have met with "the highest levels of all the different companies" in the defense industrial base, a senior Defense official told National Journal. Former Deputy Defense Secretary Gordon England "took this as a top priority, and he made sure that we got the highest levels of all the companies aware of the cyber-threat and the whole circumstances around it," said Robert Lentz, the deputy assistant Defense secretary who oversees the intelligence-sharing partnership.

According to a dozen industry and government officials interviewed by NJ, the pilot DIB has been running largely unnoticed. It is restricted to companies in the defense sector. But the White House has received a proposal to expand the program to other economic sectors that are at risk of cyberattack, such as the electrical power and financial services industries. In written recommendations to Melissa Hathaway, President Obama's cyber-security adviser, the Intelligence and National Security Alliance, a nonpartisan association of intelligence professionals, called the Pentagon's program a "fledgling effort" that "should be fully supported." The group's former chairman, John Brennan, is Obama's top counter-terrorism and homeland-security adviser.

The Pentagon is working with the Homeland Security Department to broaden the model for other vital infrastructure sectors, Lentz said.

The program has worked out a consistent, if not real-time, process for sharing cyber-intelligence. Every two weeks, the Defense Department briefs the 30 companies participating in the DIB on potential vulnerabilities in computer networks, as well as on specific threats that the government has found in the course of its regular scouting in cyberspace. Experts cull the data from a number of intelligence and military organizations, Lentz said, including the Joint Task Force-Global Network Operations, which is responsible for protecting military computer networks, and the National Security Agency's Threat Operations Center, which monitors global communications networks for threats to defense and intelligence agencies.

The information comes in two forms, Lentz said: an unclassified report that executives can share with the technicians who manage their networks, and a classified report of "contextual information" that the firms can use to protect themselves.

The Defense Department has a compelling interest in protecting the data on its contractors' systems. "This is DOD information that is at risk," Lentz said. The companies may own their networks, but the information traveling on them belongs to the government and is considered a vital national defense asset.

Lentz declined to specify what threats have turned up or what attacks have occurred. But he said that the senior-level attention at the Pentagon was triggered by a notable increase in attacks. "In the past 18 months, we've seen a significant spike in cyber-criminal activity," he said.

A significant portion of that activity appears to be cyber-espionage -- the theft of restricted information through the Internet. Senior defense and intelligence officials have been sounding the alarm for several months about -espionage by computers based in China. They've also singled out organized cyber-crime rings in Russia. In an interview with NJ last year, Joel Brenner, the nation's top counter-intelligence official, named both countries as major sources of sophisticated and relentless cyberattacks.

Corporations are reluctant to confirm that they are part of the DIB initiative, and Lentz wouldn't give any names. But sources familiar with the membership say that it includes the top tier of defense contractors, and that smaller companies are joining the group as well. Officials with Raytheon and Northrup Grumman confirmed that their companies are members.

It's not surprising that some contractors want to remain silent. Some executives fear that hackers will only try harder to breach their systems if they know that their networks contain information so valuable that the military and the intelligence community are helping to protect it, according to one industry official who works with the DIB. The program is not classified, but it has created a forum in which contractors feel safe enough to disclose weaknesses in their defenses without fear of inviting attack or drawing public attention.

Historically, corporate leaders have been loathe to share this kind of information with the government for fear of negative press, or because they think it will limit their opportunities to win future business. For nearly a decade, cyber-security experts have warned that the lack of consistent information-flow between government and industry has weakened overall security.

"This is all about trust," Lentz said of the DIB, "and all about a mutual understanding of the consequences of not taking immediate action to find out what's causing a particular event."

The program is not a one-way street. In addition to the regular threat reports that contractors receive from government, they are expected to report any intrusions into their systems within 72 hours of the event, Lentz said. That information goes to a Defense Department cyber-forensics team that specializes in tracing the source of an attack and learning how it was done. "When we determine that someone is trying to attack our networks ... we'll report that very quickly," said Steve Hawkins, vice president of information security solutions at Raytheon. "The government in turn can then provide that information out to the other partners."

Although participants say that the new partnership was not spawned by one particular incident, its birth closely followed a June 2007 attack on Pentagon computer systems that surprised senior officials for its breadth and severity.

As first reported in September 2007 by the Financial Times, the Chinese military hacked into a Pentagon computer network three months earlier, in what U.S. officials called "the most successful cyberattack on the U.S. Defense Department." The attack showed an alarming level of sophistication and precision. "China had shown it could disrupt systems at critical times," the newspaper reported.

In September 2007, Forbes reported, "the same spies may have been combing through the computer systems of major U.S. defense contractors for more than a year." That same month, the DIB initiative took shape.

The Defense Department was not reacting to an isolated event, Lentz emphasized. "We've been very much concerned about ... the breadth of the cyber-movement in terms of their aggressiveness, their skills sets," he said, calling cyberspace "increasingly volatile"

Lewis of CSIS, who directed a comprehensive cyber-security study for the Obama administration, agreed that the threat was, and is, pervasive and persistent. "It wasn't that we got wacked by a two-by-four; we were getting wacked by a two-by-four every week."