Bill would require Defense to explore new cybersecurity buys and tools

Funding would support partnerships with industry to track threats, streamline the acquisition of cyber products and services, and integrate network security tools.

The Senate version of the fiscal 2011 Defense authorization bill scheduled to be released later this week will include funding for pilot programs that will explore new ways for Defense Department agencies and contractors to gain greater access to cybersecurity tools and services, according to sources from the Armed Services Committee.

Sen. Carl Levin, D-Mich., chairman, announced on May 28 that the committee completed the markup of its version of the Defense bill, which includes funding for projects that require the department to partner with industry to track cyber threats, speed the acquisition of cybersecurity products and services, and integrate information security tools from different software vendors so they function better with one another on agency networks.

The funding would add to the $10 million in the fiscal 2010 supplemental appropriations bill the Senate passed on May 27 for the Defense and Homeland Security departments to conduct cybersecurity pilots, said committee staffers.

"The language in the supplement is fairly broad, giving a lot of discretion for the [Office of the Secretary of Defense] to define what cybersecurity pilots can be done," said one staffer. "We have similar language in the armed services bill, but we also talk about more specific projects."

The first of those projects would be conducted in partnership with DHS, which would lead development of a consortium of major telecommunications companies and Internet service providers that could offer visibility into global networks and give early warnings of potential cyberattacks against federal computer systems.

"If you add up the percentage of the world's traffic that the top 10 [telecommunications companies] see, it's a large percentage," the staffer said. "By combining [that visibility], and figuring out ways to share information in real time with automated tools, you could get a nice picture of what's happening."

A related program would explore ways that Defense could enter into contracts with one or more telecommunications companies to provide managed network security services to its industrial base. A military contractor could outsource security services to a company, which then would monitor the traffic flowing in and out of designated networks.

Two other programs in the bill would seek ways to improve how the department acquires and deploys cybersecurity tools. The first would explore more innovative and less onerous procurement models that Defense could use to quickly acquire the cyber tools and capabilities needed to respond to urgent threats against federal networks. The second would create a framework based on open standards that would integrate security tools from different vendors onto a single platform.

"The idea is to take a building block approach that allows any vendor to come in and integrate their tool into this standards-based framework," said the staffer, who pointed to the Security Content Automation Protocol, which tests computer networks and tools for compliance with a range of security standards, as a model for a framework.

The House version of the authorization bill, which passed on Friday, also charges Defense to explore new ways to address cybersecurity requirements by conducting a pilot program to test how computer security features can be built in to information systems during the development process. The bill would provide $5 million for the program, which would run until October 2015 and require the Defense secretary to submit an annual report on its progress to Congress.

Also in the House bill is a requirement for Defense to assess potential ways that modeling and simulation tools can be used to identify network vulnerabilities and deter malicious activities. The bill requires the Defense secretary to submit to the House and Senate Armed Services committees by Jan. 1, 2012, recommendations on how the tools could be used to strengthen cybersecurity.