DOD Expands Contractor Cyber-threat Protection Program
By Cheryl Pellerin
American Forces Press Service
WASHINGTON, May. 11, 2012 The Defense Department is expanding one pilot program and enhancing another, both of which involve sharing cyber-threat data with cleared defense contractors who work with DOD intellectual property, senior defense officials said yesterday.
Richard A. Hale, deputy chief information officer for cyber security, and Eric Rosenbach, deputy assistant secretary of defense for cyber policy, discussed both efforts during an interview with the Pentagon Channel and American Forces Press Service.
“The defense industrial base Cyber Security/Information Assurance Program is a public-private partnership that DOD began in order to better protect DOD information that lives outside DOD,” Hale said.
“We started the program in an attempt to share cyber-threat data with these companies in a way that allowed the companies to act on that information immediately,” he added.
In partnership with the Department of Homeland Security, DOD announced these developments in defense industrial base, or DIB, cyber-security activities.
In a press release about the program, Deputy Defense Secretary Ashton B. Carter said expanding the voluntary sharing of information between DOD and the defense industrial base is “an important step forward in our ability to catch up with widespread cyber threats.”
After a four-year DIB cyber-security pilot with 37 cleared companies, Hale said, the program is now available to all DIB companies that have facility security clearances.
“What DOD shares with these companies is unclassified and classified cyber-threat information,” Hale said. “The program is voluntary and … if the companies choose they can share cyber-incident data back with DOD, including samples of malicious code that the companies find in their networks.”
DOD uses that information to alert participating companies as well as the rest of the federal government to signatures of the captured malware.
To participate in the program, Hale said, companies go to the Defense Industrial Base Cyber Security/Information Assurance Program’s public website to download and execute with DOD a framework agreement that sets rules and responsibilities for DOD and the DIB companies.
“Once there’s a formal agreement in place, DOD extends DIBNET and a classified version of DIBNET to the company and begins sharing information,” Hale said. “And the companies, if they choose to, start sharing incident data back with DOD.”
The other DOD information-sharing effort is an extension of this baseline program, Rosenbach said, called DIB Enhanced Cyber Security Services. The pilot has been operational for a year, with a few-dozen participating DIB companies.
“We think … it’s the first model like this in the world where the government works with the private sector in a very proactive way to do something to protect private-sector firms -- in this case the defense industrial base, from advanced cyber-security threats,” he said.
The specialized information DOD is passing to the DIB companies through this extended program “is not something that’s available in the private sector,” the deputy assistant secretary said, “so there’s additional value that lowers the risk of cyber attack to these defense industrial base firms.”
The extended program works, he added, “by taking all these specialized codes derived from cyber threats [and] giving them to [the Department of Homeland Security], which then sends them to an Internet service provider. Then the Internet service provider takes this special code, known as a signature, and scans the company’s Internet traffic to see whether it hits.”
The participating companies pay the Internet service provider a fee for this service.
Two specific countermeasures are “a type of filter for all the participants,” Rosenbach said, noting participants’ “Internet traffic goes through that filter and then it’s to some degree filtered or cleansed before it gets to the firm itself.”
The extended program, he said, “is a little bit different from what we had been doing up to this point because it’s active -- it’s actually using the power of the network and the Internet service provider to scan the traffic.”
In the past, he added, they passed on the threat information but no scanning was being done.
“It’s not the ‘silver bullet’ for all cyber security,” Rosenbach said. “It’s just one additional tool that you’d use if you might be hit by a threat.”
According to Hale, participating companies are happy with the program.
“The feedback I get from the companies who are participating right now is that the sharing of information and then the interaction with the government [and] … with other defense industrial base cyber-security program participants has raised all boats,” he said.
“Not only do they get immediately actionable information when the government shares this information with the companies,” Hale added, but the companies have developed best practices they’ve shared with each other and with the federal government.
“That has tended to raise both the government’s and the industry’s cyber-security practices,” Hale said.