recommended reading

Defense Plan for Cyber Intel Sharing Looks Like Controversial House Bill


The Pentagon’s proposed 2014 budget outlines a cybersecurity program that is similar to a controversial bill the House is expected to vote on this week.

The Defense Department's funding request would finance "a comprehensive coordinated cybersecurity information sharing system that will serve as the foundation for cybersecurity information sharing requirements across the government." The system, "in real-time," would allow relevant pieces of information to reach authorized personnel throughout the government, so all can "connect the dots in identifying cybersecurity threats,” according to budget documents.

White House budget slides indicate that $79 million would be distributed across the departments of Homeland Security, Justice and Defense to "help agencies and the private sector connect the dots in identifying and responding to cyber incidents." DHS plans to contribute $44 million to the program, in part for "protecting individual privacy and civil liberties,” according to a department 2014 spending summary. Defense’s budget breakdown for cyber is not available yet, Pentagon officials said.

But the "real-time" part of the program requires new legislation, according to Gen. Keith Alexander, who is both head of Cyber Command and director of the National Security Agency.

“It's a legal barrier, not a technical one,” said Ed Skoudis, founder of Counter Hack Challenges.  The company built CyberCity, a 3-D model town that government and industry are using to practice securing and attacking private networks.

Only Congress can authorize new privacy and liability protections so that Internet companies do not have to go through lawyers before disclosing, for example, the timestamp on a customer’s email that contained malicious code.

The Cyber Intelligence Sharing and Protection Act, or CISPA, would grant protections and allow NSA into the sharing circle.  The House Intelligence Committee approved the measure on Wednesday and a floor vote is anticipated this Thursday.

While Alexander has not explicitly endorsed CISPA, his description of a key element needed in statute sounds a lot like it: The Defense program would require "the ability for industry to tell us in real time, and this is specifically the Internet service providers, when they see in their networks an attack starting. They can do that in real time. They have the technical capability, but they don't have the authority to share that information with us in -- at network speed. And they need liability protection when we share information back and forth and they take actions,” he said at a March Senate hearing.

Interagency and public-private communication loops feed off of each other, federal officials say. When agencies exchange quality intelligence, “this both increases government security and improves the signatures given to industry,” a former Defense official who served until last fall said. Signatures are descriptions of harmful code loaded into anti-virus software to detect threats.

Since joining in would be voluntary for companies under CISPA and current regulations, industry “needs the best possible information in order to see value in participating. Industry then shares with the government, ideally in real-time, thus completing the picture,” the official explained.

But CISPA has detractors in some high places. The Obama administration threatened to veto the measure last year, due to civil liberties concerns. The bill successfully passed the House, yet Senate Democrats, the White House and Republicans could not agree on the scope of interactions.

Last week, committee members tweaked the text to strike a better balance between security and privacy. One amendment requires the government to put restrictions on the use, storage and searching of data submitted by businesses.   

Privacy advocates were unsatisfied.

“The core problem is that CISPA allows too much sensitive information to be shared with too many people in the first place, including the National Security Agency,” Michelle Richardson, legislative counsel for the American Civil Liberties Union, wrote in a Friday column on the organization’s website.

(Image via agsandrew/

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.