Defense Department officials said a pilot program that lets them share cyber threat information with the private sector has been a success story, and more firms are clamoring to join. Within a few months, the program will be significantly expanded and made permanent, officials said Tuesday.
Teri Takai, the DoD chief information officer, said under rules that are awaiting approval from the Office of Management and Budget, the defense industrial base (DIB) pilot program would grow to include roughly 200 firms from the current 37. She said she hoped the White House would sign off on the rules within the next 60 days.
“We’ve been working on this for two years now,” Takai told a cybersecurity forum organized by Rep. Jim Moran (D-Va.) in Arlington, Va. “Our plan this year is to expand this, and I think it’ll give a lot more companies the opportunity to share not only with us, but with each other.” DoD started the pilot program nearly a year ago based on a simple premise: since foreign hackers weren’t having much luck stealing information from Defense Department systems, they had turned their sights on systems owned and operated by companies in the defense industrial base.
The sharing would involve both classified and unclassified data and would let information flow in both direction — private firms would share information about the attacks they’re seeing with the National Security Agency, and NSA would provide its own information about current threats to companies who meet the program’s requirements.
Takai said the effort also will form the basis for a similar cyber threat information sharing program the Department of Homeland Security has begun, that one designed to share information with Internet service providers (ISPs) so they could help defend their networks and customers against attacks.
The exfiltration of data from private firms is the most prevalent cyber threat the nation faces at the moment, said Rear Adm. Samuel Cox, the director of intelligence for U.S. Cyber Command. He said he thinks some cyber threats are being overhyped in the media, and that it’s unlikely a potential adversary would be able to pull off a spectacular attack like shutting down the entire U.S. electric grid, at least in today’s environment.
He said most incidents that are characterized as “attacks” are more aptly described as probes, intelligence gathering or espionage.
“What’s really hurting the United States right now is industrial espionage on a massive scale,” he said. “It’s primarily targeted against high-tech capabilities that, when stolen, allow adversaries to leapfrog technological hurdles and catch up with us. I think when people hear in the news media every day that we suffer however big number of attacks and then they look around and see things operating as normal, they become immune to what the threat really is. The threat is increasing at a rapid and accelerating rate.”
But Cox said the world is rapidly moving toward an era in which the potential of destructive attacks launched though cyber means is becoming more and more serious. He said Cyber Command is witnessing a “global cyber arms race” as nation states try to stay ahead of one another’s offensive and defensive cyber capabilities.
As for U.S. Cyber Command’s own offensive capabilities, Cox said they’re the strongest in the world, but other nations are uncomfortably close — in some cases, as little as two years behind.
Other countries catching up with offensive capabilities
DoD officials routinely refuse to discuss details about the United States’ offensive cyber capabilities in public, but Cox did offer some insight into when Cyber Command would use those weapons, saying they would be reserved for only the most extreme situations. “If you live in a great big glass house, you need to be really careful about what rocks you throw at other people, no matter how shiny and neat those rocks are,” he said. “Because even someone on the low end of the spectrum with crude rocks can do real damage if they throw them back. So I can guarantee you that any discussion of offensive cyber operations will be conducted with the greatest of care and planning, only in response to extremely grave threats, and only with the authorization of the very highest levels of the U.S. government. It should never be used in any kind of cavalier manner.”
DoD currently is finalizing a set of rules of engagement that lay out what specific actions it can take against an adversary in cyberspace. The effort is complicated, Cox said, because conducting cyber war while minimizing collateral damage turns out to be extremely difficult. He said that’s another factor that makes cyber weapons an asymmetric threat against the U.S.
“If an adversary wanted to wage unrestricted cyber warfare against undefended civilian targets, and you don’t care too much about collateral damage or fratricide and you’re willing to accept a haphazard result, that’s comparatively easy to do and it’s why our country is vulnerable to that kind of attack,” he said. “But if you’re trying to do precision strike in cyberspace with a high degree of confidence that you will do what you intend to do and not do what you don’t intend to do, that takes enormous amounts of intelligence, planning and some very carefully crafted cyber tools that won’t boomerang against you down the road. Offensive operations are actually really, really hard.”
Commercial cyber products desired
To improve its cyber capabilities and make sure they keep up with the pace of technology, DoD wants to increase its adoption of commercial security products.
Neal Ziring, the technical director for the National Security Agency’s information assurance directorate, said DoD still will have to assemble and integrate those products in a well-thought-out, scientifically proven way. But it has to overcome the “not invented here” syndrome.
“There’s all sorts of culture within the DoD and even within the NSA that says ‘let’s build our own thing, it’ll be perfect and wonderfully adapted to its job.’ We’ve got to get away from that,” he said. “We’re going to change the snooty attitude. It’s still going to be a snooty attitude, but instead of ‘not invented here,’ it’s going to be ‘it doesn’t meet standards.’ We are going to use commercial technologies, but they need to adhere to standards so that they can interoperate, so that they can be assessed, all those other things.”
Ziring said those commercial capabilities along with existing DoD IT assets will be brought together into more consolidated environments to make them more defensible and so that DoD can leverage its IT security investments across more of its programs. He said the department will offer both incentives for managers to bring their IT programs into those consolidated environments and consequences if they don’t.