“The expansion of voluntary information sharing between the department and the defense industrial base represents an important step forward in our ability to stay current with emerging cyberthreats,” Ashton B. Carter, deputy secretary of defense, said in announcing the move Friday.
Carter said that industry’s increased reliance on the Internet for daily business has exposed large amounts of sensitive information held on network servers to the risk of digital theft. Corporate cyber-espionage has reached epidemic scale, experts and officials say, with much of the activity traced to China and Russia.
Begun a year ago, the Defense Industrial Base enhanced pilot program included 17 companies that volunteered to have commercial carriers such as Verizon and AT&T scan e-mail traffic entering their networks for malicious software. Outgoing traffic that shows signs of being redirected to illegitimate sites is blocked so that it does not fall into an adversary’s hands.
A study in November by Carnegie Mellon University said that the pilot program showed the public-private model could work but that initial results on the efficacy of the National Security Agency measures were mixed, with the most value going to companies with less mature network defenses.
The report also said companies reported large numbers of false positives in detecting traffic to illegitimate sites. That flaw largely has been fixed, officials said.
One telecom industry official familiar with the program said he thought the results were better than reflected in the report. “There are a lot of opportunities for improving,” said the official, who was not authorized to speak on the record. For instance, the official said, “the longer it takes NSA to provide the data” to the carriers, the less useful the program will be. Overall, the official said, “we think it was a successful model.”
U.S. officials said that after initial difficulties, the program has become more effective, so much so that senior officials agreed at a White House meeting Thursday to expand it and make it permanent.
“It’s the best example of information sharing that helps in an operational way,” said Eric Rosenbach, deputy assistant secretary of defense for cyber-policy. “We haven’t heard of any other country that’s doing anything like this — a really collaborative relationship between government and private sector.”
Rosenbach acknowledged that the program was not perfect. “We’re definitely not claiming this is the silver bullet when it comes to cybersecurity for the defense firms,” he said. “It is an additional tool they can use to mitigate some of the risk of attacks.”
The carriers are using classified threat data or indicators provided by the NSA to screen the traffic, as well as unclassified threat data provided by the Department of Homeland Security. DHS reviews all the screening data before it goes to the carriers.
The companies may turn over results of the screening to the government. The data would go to DHS and could be shared with agencies such as the NSA and FBI, but with strict privacy protections, officials said.
Rosenbach said that although the NSA should get feedback on how effective its measures are, the agency does not deal directly with the carriers or companies. And, he said, no information that can identify a person is shared with the government.
Still, privacy concerns are high, especially as Congress considers legislation to foster a broader exchange of cyberthreat data between the government and industry.
“Having the NSA provide classified cyberattack signatures to network operators to help them protect their networks . . . is far preferable to having the NSA scan private networks for those signatures,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology. “However, the flow of information back to the government raises significant privacy concerns in the program and in the pending cybersecurity legislation.”
The cybersecurity program will remain voluntary, officials said. As of December, companies have had to pay their Internet carrier for the service. It is unclear how many of the roughly 8,000 eligible defense contractors will sign up.
Rosenbach said he thought a number of companies would do it “because they see it as a good business decision and a good national security decision.”
The government also will allow companies beyond the current four Internet carriers to offer the screening service if they can demonstrate that they have secure facilities and the capability, officials said.
The Pentagon is also enlarging a four-year-old cybersecurity program in which the Defense Department and contractors share threat data directly with each other. That program has 36 participants and could grow to about 1,000, said Richard Hale, the Pentagon’s deputy chief information officer.