recommended reading

Defense Plan for Cyber Intel Sharing Looks Like Controversial House Bill


The Pentagon’s proposed 2014 budget outlines a cybersecurity program that is similar to a controversial bill the House is expected to vote on this week.

The Defense Department's funding request would finance "a comprehensive coordinated cybersecurity information sharing system that will serve as the foundation for cybersecurity information sharing requirements across the government." The system, "in real-time," would allow relevant pieces of information to reach authorized personnel throughout the government, so all can "connect the dots in identifying cybersecurity threats,” according to budget documents.

White House budget slides indicate that $79 million would be distributed across the departments of Homeland Security, Justice and Defense to "help agencies and the private sector connect the dots in identifying and responding to cyber incidents." DHS plans to contribute $44 million to the program, in part for "protecting individual privacy and civil liberties,” according to a department 2014 spending summary. Defense’s budget breakdown for cyber is not available yet, Pentagon officials said.

But the "real-time" part of the program requires new legislation, according to Gen. Keith Alexander, who is both head of Cyber Command and director of the National Security Agency.

“It's a legal barrier, not a technical one,” said Ed Skoudis, founder of Counter Hack Challenges.  The company built CyberCity, a 3-D model town that government and industry are using to practice securing and attacking private networks.

Only Congress can authorize new privacy and liability protections so that Internet companies do not have to go through lawyers before disclosing, for example, the timestamp on a customer’s email that contained malicious code.

The Cyber Intelligence Sharing and Protection Act, or CISPA, would grant protections and allow NSA into the sharing circle.  The House Intelligence Committee approved the measure on Wednesday and a floor vote is anticipated this Thursday.

While Alexander has not explicitly endorsed CISPA, his description of a key element needed in statute sounds a lot like it: The Defense program would require "the ability for industry to tell us in real time, and this is specifically the Internet service providers, when they see in their networks an attack starting. They can do that in real time. They have the technical capability, but they don't have the authority to share that information with us in -- at network speed. And they need liability protection when we share information back and forth and they take actions,” he said at a March Senate hearing.

Interagency and public-private communication loops feed off of each other, federal officials say. When agencies exchange quality intelligence, “this both increases government security and improves the signatures given to industry,” a former Defense official who served until last fall said. Signatures are descriptions of harmful code loaded into anti-virus software to detect threats.

Since joining in would be voluntary for companies under CISPA and current regulations, industry “needs the best possible information in order to see value in participating. Industry then shares with the government, ideally in real-time, thus completing the picture,” the official explained.

But CISPA has detractors in some high places. The Obama administration threatened to veto the measure last year, due to civil liberties concerns. The bill successfully passed the House, yet Senate Democrats, the White House and Republicans could not agree on the scope of interactions.

Last week, committee members tweaked the text to strike a better balance between security and privacy. One amendment requires the government to put restrictions on the use, storage and searching of data submitted by businesses.   

Privacy advocates were unsatisfied.

“The core problem is that CISPA allows too much sensitive information to be shared with too many people in the first place, including the National Security Agency,” Michelle Richardson, legislative counsel for the American Civil Liberties Union, wrote in a Friday column on the organization’s website.

(Image via agsandrew/

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.