The Pentagon predicts that as many as 1,000 defense contractors may join a voluntary effort to share classified information on cyberthreats under an expansion of a first-ever initiative to protect computer networks.
After a pilot program that involved 36 contractors and three of the biggest U.S. Internet providers, the Obama administration approved a rule letting the Pentagon enlist all contractors and Internet providers with security clearances in the information exchange, according to Eric Rosenbach, deputy assistant secretary of defense for cyberpolicy.
“This is an important milestone in voluntary information-sharing between government and industry,” Rosenbach said in a recent interview. Richard Hale, the Pentagon’s deputy chief information officer for cybersecurity, said 1,000 companies may participate.
If the Pentagon’s effort succeeds in safeguarding defense contractors from cyberattacks, the administration may enlarge the program to companies in 15 other critical infrastructure categories through the Department of Homeland Security, Rosenbach said.
Cyberthreats facing the U.S. defense industry and its “unclassified information systems represent an unacceptable risk of compromise of DoD information and pose an imminent threat to U.S. national security and economic security interests,” according to the federal rule authorizing the expanded Defense Department program.
Information needs to be shared because hackers, especially in China, are accelerating efforts to penetrate computer networks such as those of defense contractors, Rear Adm. Samuel Cox, director of intelligence for U.S. Cyber Command, told reporters at a conference last month.
“Chinese capabilities in computer network operations have advanced sufficiently to pose genuine risk to U.S. military operations in the event of a conflict,” according to a March report by the U.S.-China Economic and Security Review Commission, a group created by Congress to monitor China.
Using a secure portal called DIBnet, the Pentagon will provide both classified and unclassified information on cybersecurity threats, and defenses against them, to companies that have security clearances and agree to participate, according to Rosenbach and Hale.
“You are using special intelligence information derived [from] somewhere else in the world to put into” cybersecurity, Rosenbach said in the interview. “So it is more active than simply waiting for an attack to come.”
Internet providers such as Verizon Communications and defense contractors, including Lockheed Martin, have said that they participated in the pilot program and intended to continue in an expanded effort.
“We might share with the companies what kind of cyberattack trends we are seeing inside DoD — if a particular kind of phishing attack, for instance, has become more prevalent,” Hale said.
Rosenbach said participants also may elect to join an “enhanced effort” under which the Defense Department will provide fixes for each type of threat to Internet providers and other eligible companies, which in turn will screen the network traffic flowing to the contractors. That initiative has been undergoing testing for a year.
While the Pentagon initiative is based on voluntary information-sharing, President Obama has threatened to veto legislation that also would encourage government and companies to share data voluntarily while giving business legal immunity for such exchanges. The measure passed the Republican-controlled House on April 26.
Instead, Obama has backed legislation in the Democratic-controlled Senate that would give the Department of Homeland Security authority to regulate the cybersecurity of vital systems such as power grids and transportation networks.