Defense Department Joins Forces With Industry Against Cybercrime
Monday, May 25, 2009
LINTHICUM, Md. -- At 2:42 p.m. one recent Wednesday, on the fourth floor of a squat brick office building under the flight path of jets landing at Baltimore-Washington International Marshall Airport, a Pentagon analyst skilled in parsing malicious computer code e-mailed a threat alert to 28 of the nation's largest defense contractors.
That morning, a defense company had told the Defense Department Cyber Crime Center about a significant probe of its computer network. The Pentagon analysts determined the code was present in several companies' networks and raised the alarm.
This information exchange took place, government and industry officials said, because the companies and the Pentagon have begun to trust one another. They are joining forces to stem the loss of important defense industry data -- by some estimates at least $100 billion worth in the past two years, reflecting the cost to produce the data and its value to adversaries.
For two years, the Defense Department has been collaborating with industry to try to better protect the firms' computer networks. Now, as the Obama administration ponders how to strengthen the nation's defenses against cyberattacks, it is considering ways to share the Pentagon's threat data with other critical industries, such as those that handle vastly larger amounts of data, including phone calls and private e-mails. The threat scenarios, experts say, are chilling: a months-long blackout of much of the United States, wide-scale corruption of electronic banking data, a disabling of the air traffic control system.
The Pentagon's trial program with industry illuminates the promise and the pitfalls of such partnerships. The goal is a swifter, more coordinated response to threats facing the defense industry. But intelligence and law enforcement agencies have been reluctant to release threat data they consider classified. And the companies have been reluctant to share intrusion data, for fear of losing control over personal or proprietary information.
"This isn't just about national security. It's about the economic well-being of the United States. It's that fine line of ensuring that you have security without unnecessarily compromising privacy," said Barbara Fast, vice president of Boeing Cyber Solutions.
The pilot program has prompted the Department of Homeland Security to consider extending the model to other industries, officials said. And the Defense Department is in preliminary talks with telecommunications and Internet service providers about creating a similar partnership, industry officials say.
The Defense Department's Cyber Crime Center, whose 277 employees are mostly contractors, is a clearinghouse for threat data from the National Security Agency, military agencies, the DHS and industry. Some alerts go out quickly, such those flagging the "Internet protocol" address of a potential hacker.
Other reports based on classified data take on average three weeks to compile. They tell a company who might be behind an attack and what the attacker's tactics are, such as infected e-mail. One reason vetting such material takes time is that sources must approve dissemination of the information to ensure that disclosure will not jeopardize an investigation.
"Clearly this needs to be a lot quicker than it is today," Boeing's Fast said in an interview last month.
Several firms said they share with the Cyber Crime Center technical information about viruses and suspicious probes that they feel can help the industry broadly. But Northrop Grumman, for instance, generally reports breaches to the military branch that owns the contract, company officials said, and the branch decides whether it should be reported elsewhere.
"There is this natural inclination to not highlight that you've had a problem, an incursion into your system," said Ellen E. McCarthy, president of the Intelligence and National Security Alliance, which includes the defense industry. "It highlights to your customers, to your board of directors, that you've had a problem."