The Defense Department's industrial base is huge, encompassing some 220,000 companies. With criminals and nefarious state actors intent on stealing intellectual property or taking down networks, cybersecurity is a huge concern for the department, the companies and national security.
As a result, the department is bolstering defense industrial base cybersecurity by sharing threat information, offering easy-to-implement ways the industrial base can shore up its own cyber defenses, and looking for ways to make further improvements as the threat continues to evolve, according to a DOD panel that spoke during a recent town hall.
"I think we've thwarted a good number of attacks by our intelligence sharing and your sharing of information about things going on in your network," said David McKeown, DOD's chief information security officer and deputy chief information officer for cybersecurity.
In addition to intelligence sharing, the department requires industrial base companies to achieve Cybersecurity Maturity Model Certification, which sets the minimum cybersecurity requirements for companies, he said, noting that the department has been working to streamline those requirements to make it easier for companies to comply.
He also said the department wants companies to review the National Institute of Standards and Technology's special publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations."'
A third requirement, he said, is that if there's a major cybersecurity breech, it must be reported within 72 hours to the DOD Cyber Crime Center. The center’s hotline is 410-981-0104 or 877-838-2174, and the website is https://dibnet.dod.mil.
"We would love to see you go beyond those requirements," McKeown said.
An excellent place to start is by visiting https://dibnet.dod.mil, which is DOD's gateway for defense contractor reporting and voluntary participation in DOD's Defense Industrial Base Cybersecurity Program, he said.
On that site, companies can report a cyber incident, as well as become a DOD voluntary public-private cybersecurity partner, he said. The site also has points of contact for anyone having questions or needing additional information.
The defense industrial base is one of 16 critical infrastructure sectors, identified in the presidential policy directive "Critical Infrastructure Security and Resilience", said Kristi Hunt in the office of the undersecretary of defense for policy.
That document spells out the policy for how the federal government will work to build trust with those sectors, how those sectors will work with other sectors, and how the whole effort for public-private partnership will advance national unity of effort to strengthen and maintain secure functioning and resilient critical infrastructure, she said.
Hunt said her agency works closely with the Department of Homeland Security and the Office of the Director of National Intelligence, sharing mitigation strategies, threat indicators, critical incidents and best practices.
Kristina Walter, chief of defense industrial base cyber defense at the National Security Agency, said, "NSA has great insight into foreign actors targeting DOD Information on DOD networks, national security system as well as defense industrial base networks."
However, the NSA must rely on industry partners to mitigate cybersecurity threats, she said.
"You are experts in your networks. We understand what foreign actors are doing, and when we work together, we can understand more rapidly what's happening and address the issue," she said.
The NSA, in partnership with the FBI, has set up a collaboration channel to get out as much information before an incident occurs, she said. More information can be found at https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/.
Krystal Covey, director of DOD's Defense Industrial Base Collaborative Information Sharing Environment, said the Defense Cybercrime Center hosts cybersecurity conferences and performs malware analysis, publishes cyber threat analyses, and shares actionable cybersecurity incidents.
Covey said that although only cleared defense contractors are covered by Code of Federal Regulations, Title 32, Part 236, there is work within the department to incorporate other companies into this program.
For More Information
DOD Focused on Protecting the Defense Industrial Base From Cyber Threats
Link to Town Hall video on DVIDS
Link to DOD CIO slides on DOD CIO library