recommended reading

New mandate would require military contractors to report cyber breaches

Defense Department file photo

This story has been updated with comments from the Defense Department.

The Defense authorization bill approved by Congress last week would require contractors to tell the Pentagon about penetrations of company-owned networks that handle military data. If President Obama signs the legislation into law, it would make permanent part of a Pentagon test program under which participating contractors report computer breaches in exchange for access to some classified cyber threat intelligence.

What began as a defense industrial base pilot program in 2011 was opened to all interested military vendors in May. In October, reports surfaced that five of the 17 initial contractors dropped out of part of the program in which the National Security Agency shares classified threat indicators with the participants, apparently because they concluded the requirements for participation were too expensive and time-consuming for any enhanced security benefit. At the time, Lockheed Martin Corp. executives who help run the program noted the growth potential of another segment of the program that allows contractors to voluntarily share information about breaches to their networks without revealing identifying information to fellow contractors and the government. Now they say interest in the whole program is increasing.

On Wednesday, Defense officials provided contradictory information about the popularity of the classified service. The number of participants in that component, called the Defense Industrial Base Enhanced Cybersecurity Services, or DECS, has not changed, said Pentagon spokesman Lt. Col. Damien Pickart.  “Today, 12 DIB companies continue to receive DECS services,” he said, referring to the same total reported in October.

The new mandate would arrive as Congress and the White House grapple with requiring similar communications across all critical sectors, including the energy, healthcare and defense industries. Obama as early as January is expected to issue an executive order, which doesn’t carry the heft or permanence of law, directing those sectors to report incidents and adhere to new cybersecurity standards.

But the Defense legislation stops short of requiring participation in the industrywide information-sharing program. And it does not address the Pentagon’s end of the deal, in which NSA shares classified warnings of imminent threats.

That second part basically reveals to contractors, or their Internet service providers, digital footprints of malicious software so antivirus scans can block the malware. The program’s regulations state that, in exchange for this intelligence, contractors must disclose breaches they have suffered “within 72 hours of discovery.”

Congress’s measure only states that contractors are mandated “to rapidly report” to the Defense Department each “successful penetration of the network or information systems” carrying military data.  

Earlier last week, Lockheed Martin executives said the whole voluntary program has flourished since the October reports of dropouts. The executives said they are not concerned about those departures and anticipate the program will grow.

It is believed the departing defense contractors, some of whom specialize in cyber defense, felt NSA’s intelligence was no more valuable than their own detective work.

But officials at Lockheed Martin, which is itself a major cybersecurity player and program participant, said the company is benefiting from the openness.

“We have a strong knowledge base but nobody is above learning from other people,” said Robert F. Smith, vice president of space and cyber for Lockheed Martin. “Everybody is better off when they get more information.”

However, Defense officials on Monday said that only the unclassified information-sharing component, which circulates non-identifying reports about company network penetrations, has attracted new members. That piece of the program has grown from 34 to 70 contractors, with new companies joining weekly, Pickart said. The department has “developed an outreach strategy” to encourage membership in both program elements, he said. But  “it is a business decision whether to voluntarily participate or not” in the classified service, Pickart stressed. 

The five contractors that left might rejoin if they can lessen the financial burden by applying the protections without an ISP, he added.

Lockheed has been tasked with, among other things, expanding the program to potentially 2,600 defense contractors, although it’s not clear how many of those will participate. On Monday, Lockheed spokesman Ken Darby said in an email that “under the DoD’s direction, we cannot release the number of companies participating in the program.” The total number of companies has grown since May, he reiterated, “and the fact that the total continues to increase demonstrates the value of the program.”

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    View
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    View
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    View
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    View
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    View
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    View

When you download a report, your information may be shared with the underwriters of that document.