Cyber defense effort is mixed, study finds

A Pentagon pilot program that uses classified National Security Agency data to protect the computer networks of defense contractors has had some success but also has failed to meet some expectations, according to a study commissioned by the Defense Department.

The program showed that Internet carriers could be trusted to handle the NSA data, that direct government monitoring of private networks could be avoided and that the measures could be of particular benefit to companies with less mature cyber defense capabilities, according to the Carnegie Mellon University study.

Although researchers said the pilot had demonstrated the concept of information sharing, they also cited deficiencies in the way it was implemented. The test program, which began last May, relied on NSA “signatures” or fingerprints of malicious computer code that in initial stages were “stale when deployed” and in many cases did not prevent intrusions that the companies could not have blocked themselves, according to the report, which was not publicly released by the Pentagon but was shared with Congress this week.

The unclassified study, which was obtained by The Washington Post, underscores the operational, legal and policy challenges in building a robust defense of critical U.S. computer networks as foreign rivals and other adversaries seek to penetrate systems, steal data and perhaps lay the groundwork for a destructive attack.

“Unfortunately, the report highlights one of my continuing points: that there is no silver bullet in cybersecurity,” said Rep. James R. Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus. “Signature-based defenses alone will never be enough to secure our critical infrastructure. We need a comprehensive approach that incorporates innovative information sharing with industry, while holding them accountable for stronger security.”

The Defense Industrial Base cyber pilot includes 17 defense companies, among them Bethesda-based Lockheed Martin, which several years ago had terabytes of data related to the Pentagon’s Joint Strike Fighter project stolen from its networks.

In the pilot, the Internet carriers AT&T, Verizon and CenturyLink filter firms’ incoming e-mail for malicious software using classified NSA signatures. The pilot tested two concepts: Incoming malicious e-mails were quarantined and outbound traffic headed for suspicious Web sites was redirected.

The e-mail measure was considered effective, yielding few false positives. But companies reported large numbers of false positives in the redirecting of outbound traffic headed for bad Web sites, the report said. Still, these two measures should “play a critical role” in a broader effort to secure critical networks, the report said.

The pilot allows companies to share data with the government, and some companies have opted to send information to the Department of Defense Cyber Crime Center, the report stated.

Some of the program’s flaws resulted from unrealized expectations.

For instance, the report said, many Defense Industrial Base companies thought that the pilot aimed to prove that NSA signatures would provide an optimum level of protection not available through any other source. But, the report said,“when this result did not fully materialize,” the goal was scaled back to showing “a baseline level of protection.”