Defense Department Joins Forces With Industry Against Cybercrime

By Ellen Nakashima
Washington Post Staff Writer
Monday, May 25, 2009; A19

LINTHICUM, Md. -- At 2:42 p.m. one recent Wednesday, on the fourth floor of a squat brick office building under the flight path of jets landing at Baltimore-Washington International Marshall Airport, a Pentagon analyst skilled in parsing malicious computer code e-mailed a threat alert to 28 of the nation's largest defense contractors.

That morning, a defense company had told the Defense Department Cyber Crime Center about a significant probe of its computer network. The Pentagon analysts determined the code was present in several companies' networks and raised the alarm.

This information exchange took place, government and industry officials said, because the companies and the Pentagon have begun to trust one another. They are joining forces to stem the loss of important defense industry data -- by some estimates at least $100 billion worth in the past two years, reflecting the cost to produce the data and its value to adversaries.

For two years, the Defense Department has been collaborating with industry to try to better protect the firms' computer networks. Now, as the Obama administration ponders how to strengthen the nation's defenses against cyberattacks, it is considering ways to share the Pentagon's threat data with other critical industries, such as those that handle vastly larger amounts of data, including phone calls and private e-mails. The threat scenarios, experts say, are chilling: a months-long blackout of much of the United States, wide-scale corruption of electronic banking data, a disabling of the air traffic control system.

The Pentagon's trial program with industry illuminates the promise and the pitfalls of such partnerships. The goal is a swifter, more coordinated response to threats facing the defense industry. But intelligence and law enforcement agencies have been reluctant to release threat data they consider classified. And the companies have been reluctant to share intrusion data, for fear of losing control over personal or proprietary information.

"This isn't just about national security. It's about the economic well-being of the United States. It's that fine line of ensuring that you have security without unnecessarily compromising privacy," said Barbara Fast, vice president of Boeing Cyber Solutions.

The pilot program has prompted the Department of Homeland Security to consider extending the model to other industries, officials said. And the Defense Department is in preliminary talks with telecommunications and Internet service providers about creating a similar partnership, industry officials say.

The Defense Department's Cyber Crime Center, whose 277 employees are mostly contractors, is a clearinghouse for threat data from the National Security Agency, military agencies, the DHS and industry. Some alerts go out quickly, such those flagging the "Internet protocol" address of a potential hacker.

Other reports based on classified data take on average three weeks to compile. They tell a company who might be behind an attack and what the attacker's tactics are, such as infected e-mail. One reason vetting such material takes time is that sources must approve dissemination of the information to ensure that disclosure will not jeopardize an investigation.

"Clearly this needs to be a lot quicker than it is today," Boeing's Fast said in an interview last month.

Several firms said they share with the Cyber Crime Center technical information about viruses and suspicious probes that they feel can help the industry broadly. But Northrop Grumman, for instance, generally reports breaches to the military branch that owns the contract, company officials said, and the branch decides whether it should be reported elsewhere.

"There is this natural inclination to not highlight that you've had a problem, an incursion into your system," said Ellen E. McCarthy, president of the Intelligence and National Security Alliance, which includes the defense industry. "It highlights to your customers, to your board of directors, that you've had a problem."

Though Lockheed Martin's agreement allows the firm to send samples of breach data to the crime center, the firm prefers to do its own intrusion investigations, said Mike Gordon, senior manager of Lockheed's Computer Incident Response Team. "We've got the most talented team, the most advanced technologies," he said during an interview at the firm's Security Intelligence Center in Gaithersburg.

At the touch of a button, a wood-paneled wall slid up and revealed an operations center -- barely a year old -- with 24 workstations, 15 analysts scrutinizing code on their monitors, a wall of giant video screens showing network traffic, and a map of the firm's global Internet links. Each day, 4 million e-mails enter Lockheed's networks, and analysts monitor hundreds of millions of actions, including clicks on the company Web site, for suspicious activity.

In 2006, Lockheed officials contacted government investigators about a suspicious intrusion into an unclassified network that handles data on the F-35 Joint Strike Fighter. The Wall Street Journal reported about that incident last month.

Senior Air Force officials became concerned that other systems were vulnerable and directed that the breach investigation be broadened to include the F-22 fighter program, although no evidence was found that F-22 data had been stolen, according to sources who spoke on the condition of anonymity because of the matter's sensitivity.

Both jets rely on computer networks for operation and maintenance, which makes them vulnerable to hacking that can affect flight operations. Gaining access to unclassified data about design and maintenance can allow an adversary to more easily design countermeasures, the sources said.

In early 2007, the Air Force launched a partnership with about a dozen companies that work on the F-35 and F-22, and that served as the nucleus for the broader partnership. In August 2007, Deputy Defense Secretary Gordon England gathered the top executives of major contractors for a classified briefing.

"We shared with them the fact that we've got a very, very aggressive cyber threat," said Robert Lentz, a Pentagon official who heads the partnership. The Pentagon soon will seek to amend defense acquisition rules to require cybersecurity standards for firms seeking contracts. "The sooner we all understand what's required to protect the information in our networks, and we teach this in universities and in businesses, the better off we all will be, down to the Internet user at home," Lentz said.

View all comments that have been posted about this article.

© 2009 The Washington Post Company