New mandate would require military contractors to report cyber breaches

This story has been updated with comments from the Defense Department.

The Defense authorization bill approved by Congress last week would require contractors to tell the Pentagon about penetrations of company-owned networks that handle military data. If President Obama signs the legislation into law, it would make permanent part of a Pentagon test program under which participating contractors report computer breaches in exchange for access to some classified cyber threat intelligence.

What began as a defense industrial base pilot program in 2011 was opened to all interested military vendors in May. In October, reports surfaced that five of the 17 initial contractors dropped out of part of the program in which the National Security Agency shares classified threat indicators with the participants, apparently because they concluded the requirements for participation were too expensive and time-consuming for any enhanced security benefit. At the time, Lockheed Martin Corp. executives who help run the program noted the growth potential of another segment of the program that allows contractors to voluntarily share information about breaches to their networks without revealing identifying information to fellow contractors and the government. Now they say interest in the whole program is increasing.

On Wednesday, Defense officials provided contradictory information about the popularity of the classified service. The number of participants in that component, called the Defense Industrial Base Enhanced Cybersecurity Services, or DECS, has not changed, said Pentagon spokesman Lt. Col. Damien Pickart.  “Today, 12 DIB companies continue to receive DECS services,” he said, referring to the same total reported in October.

The new mandate would arrive as Congress and the White House grapple with requiring similar communications across all critical sectors, including the energy, healthcare and defense industries. Obama as early as January is expected to issue an executive order, which doesn’t carry the heft or permanence of law, directing those sectors to report incidents and adhere to new cybersecurity standards.

But the Defense legislation stops short of requiring participation in the industrywide information-sharing program. And it does not address the Pentagon’s end of the deal, in which NSA shares classified warnings of imminent threats.

That second part basically reveals to contractors, or their Internet service providers, digital footprints of malicious software so antivirus scans can block the malware. The program’s regulations state that, in exchange for this intelligence, contractors must disclose breaches they have suffered “within 72 hours of discovery.”

Congress’s measure only states that contractors are mandated “to rapidly report” to the Defense Department each “successful penetration of the network or information systems” carrying military data.  

Earlier last week, Lockheed Martin executives said the whole voluntary program has flourished since the October reports of dropouts. The executives said they are not concerned about those departures and anticipate the program will grow.

It is believed the departing defense contractors, some of whom specialize in cyber defense, felt NSA’s intelligence was no more valuable than their own detective work.

But officials at Lockheed Martin, which is itself a major cybersecurity player and program participant, said the company is benefiting from the openness.

“We have a strong knowledge base but nobody is above learning from other people,” said Robert F. Smith, vice president of space and cyber for Lockheed Martin. “Everybody is better off when they get more information.”

However, Defense officials on Monday said that only the unclassified information-sharing component, which circulates non-identifying reports about company network penetrations, has attracted new members. That piece of the program has grown from 34 to 70 contractors, with new companies joining weekly, Pickart said. The department has “developed an outreach strategy” to encourage membership in both program elements, he said. But  “it is a business decision whether to voluntarily participate or not” in the classified service, Pickart stressed. 

The five contractors that left might rejoin if they can lessen the financial burden by applying the protections without an ISP, he added.

Lockheed has been tasked with, among other things, expanding the program to potentially 2,600 defense contractors, although it’s not clear how many of those will participate. On Monday, Lockheed spokesman Ken Darby said in an email that “under the DoD’s direction, we cannot release the number of companies participating in the program.” The total number of companies has grown since May, he reiterated, “and the fact that the total continues to increase demonstrates the value of the program.”