The carriers are using classified threat data or indicators provided by the NSA to screen the traffic, as well as unclassified threat data provided by the Department of Homeland Security. DHS reviews all the screening data before it goes to the carriers.
The companies may turn over results of the screening to the government. The data would go to DHS and could be shared with agencies such as the NSA and FBI, but with strict privacy protections, officials said.
Rosenbach said that although the NSA should get feedback on how effective its measures are, the agency does not deal directly with the carriers or companies. And, he said, no information that can identify a person is shared with the government.
Still, privacy concerns are high, especially as Congress considers legislation to foster a broader exchange of cyberthreat data between the government and industry.
“Having the NSA provide classified cyberattack signatures to network operators to help them protect their networks . . . is far preferable to having the NSA scan private networks for those signatures,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology. “However, the flow of information back to the government raises significant privacy concerns in the program and in the pending cybersecurity legislation.”
The cybersecurity program will remain voluntary, officials said. As of December, companies have had to pay their Internet carrier for the service. It is unclear how many of the roughly 8,000 eligible defense contractors will sign up.
Rosenbach said he thought a number of companies would do it “because they see it as a good business decision and a good national security decision.”
The government also will allow companies beyond the current four Internet carriers to offer the screening service if they can demonstrate that they have secure facilities and the capability, officials said.
The Pentagon is also enlarging a four-year-old cybersecurity program in which the Defense Department and contractors share threat data directly with each other. That program has 36 participants and could grow to about 1,000, said Richard Hale, the Pentagon’s deputy chief information officer.