The Pentagon is expanding and making permanent a trial program that teams the government with Internet carriers to protect defense firms’ computer networks against massive data theft by foreign adversaries.
It is part of a larger effort to broaden the sharing of classified and unclassified cyberthreat data between the government and industry in what Defense Department officials say is a promising collaboration between the public and private sectors.
“The expansion of voluntary information sharing between the department and the defense industrial base represents an important step forward in our ability to stay current with emerging cyber threats,” Ashton B. Carter, deputy secretary of defense, said in announcing the move Friday.
Carter noted that industry’s increased reliance on the Internet for daily business has exposed large amounts of sensitive information held on network servers to the risk of digital theft. Corporate cyber-espionage has reached epidemic scale, experts and officials say, with much of the activity traced to China and Russia.
Begun a year ago, the Defense Industrial Base [DIB] enhanced pilot program included 17 companies who volunteered to have commercial carriers such as Verizon and AT&T scan e-mail traffic entering their networks for malicious software. Outgoing traffic that shows signs of being redirected to illegitimate sites is blocked so that it does not fall into an adversary’s hands.
After initial difficulties, the program has become more effective, officials said, so much so that senior officials agreed at a White House meeting Thursday to expand it and make it permanent.
“It’s the best example of information sharing that helps in an operational way,” said Eric Rosenbach, deputy assistant secretary of defense for cyber policy. “We haven’t heard of any other country that’s doing anything like this — a really collaborative relationship between government and private sector.”
Rosenbach conceded the program was not perfect. “We’re definitely not claiming this is the silver bullet when it comes to cyber security for the defense firms,” he said. “It is an additional tool they can use to mitigate some of the risk of attacks.”
The carriers are using classified threat data or indicators provided by the National Security Agency to screen the traffic, as well as unclassified threat data provided by the Department of Homeland Security. DHS reviews all the screening data before it goes to the carriers. The companies may choose to turn over results of the screening to the government. The data would go to the DHS and could be shared with other agencies such as NSA and the FBI, but with strict privacy protections, officials said.
The entire program will remain voluntary, officials said. As of December, companies have had to pay their carrier for the service. It is unclear how many of the roughly 8,000 eligible defense contractors will want to sign up.
Rosenbach said he thought a number of companies would do it “because they see it as a good business decision and a good national security decision.”
The government also will allow companies beyond the current four carriers to offer the screening service if they can demonstrate that they have secure facilities and the capability, officials said.
A study last November by Carnegie-Mellon University said the pilot program showed the public-private model could work, but that initial results on the efficacy of the NSA measures were mixed, with the most value going to companies with less mature network defenses.
One telecom industry official familiar with the program said he thought the results were better than reflected in the report. “There are a lot of opportunities for improving,” said the official, who was not authorized to speak for the record. For instance, he said, “the longer it takes NSA to provide the data” to the carriers, the less useful the program will be. Overall, he said, “we think it was a successful model.”
The Pentagon is also enlarging a four-year-old cybersecurity program in which the Defense Department and contractors share threat data directly with each other. That program has 36 participants and could grow to about 1,000, said Pentagon deputy chief information officer Richard Hale.
The Defense Department move comes as legislation is pending in Congress to foster a broader exchange of cyberthreat data between the government and industry.
By Ellen Nakashima
May 11, 2012