“The expansion of voluntary information sharing between the department and the defense industrial base represents an important step forward in our ability to stay current with emerging cyberthreats,” Ashton B. Carter, deputy secretary of defense, said in announcing the move Friday.
Carter said that industry’s increased reliance on the Internet for daily business has exposed large amounts of sensitive information held on network servers to the risk of digital theft. Corporate cyber-espionage has reached epidemic scale, experts and officials say, with much of the activity traced to China and Russia.
Begun a year ago, the Defense Industrial Base enhanced pilot program included 17 companies that volunteered to have commercial carriers such as Verizon and AT&T scan e-mail traffic entering their networks for malicious software. Outgoing traffic that shows signs of being redirected to illegitimate sites is blocked so that it does not fall into an adversary’s hands.
A study in November by Carnegie Mellon University said that the pilot program showed the public-private model could work but that initial results on the efficacy of the National Security Agency measures were mixed, with the most value going to companies with less mature network defenses.
The report also said companies reported large numbers of false positives in detecting traffic to illegitimate sites. That flaw largely has been fixed, officials said.
One telecom industry official familiar with the program said he thought the results were better than reflected in the report. “There are a lot of opportunities for improving,” said the official, who was not authorized to speak on the record. For instance, the official said, “the longer it takes NSA to provide the data” to the carriers, the less useful the program will be. Overall, the official said, “we think it was a successful model.”
U.S. officials said that after initial difficulties, the program has become more effective, so much so that senior officials agreed at a White House meeting Thursday to expand it and make it permanent.
“It’s the best example of information sharing that helps in an operational way,” said Eric Rosenbach, deputy assistant secretary of defense for cyber-policy. “We haven’t heard of any other country that’s doing anything like this — a really collaborative relationship between government and private sector.”
Rosenbach acknowledged that the program was not perfect. “We’re definitely not claiming this is the silver bullet when it comes to cybersecurity for the defense firms,” he said. “It is an additional tool they can use to mitigate some of the risk of attacks.”