The Pentagon hopes that a newly-expanded program to share cyber threat information with companies that are part of the defense industrial base (DIB) could eventually attract up to 1,000 firms, a major jump from the relative handful of companies that have participated during the program’s pilot phase.
The DoD effort to share what it knows about specific cyber threats first started four years ago when the Pentagon began transmitting classified and unclassified threat signatures to defense companies. Then, last June, the department rolled out a pilot program to expand the umbrella to protect companies via their Internet Service Providers (ISPs). DoD capped the voluntary program at 36 companies that the Pentagon believed were ripe targets for foreign cyber intrusions. “The defense industrial base companies face a kind of unrelenting attack from sophisticated actors who are trying to steal intellectual property and sensitive defense information,” said Eric Rosenbach, assistant secretary of Defense for cyber policy. “We wanted to try to do something to address that, because the defense of everyday firms may not be equipped to defend against those.”
Last week, the Office of Management and Budget gave approval to the Pentagon to make the voluntary pilot program permanent, letting it expand to any defense company that has a secure facility and personnel to handle classified threat data. DoD estimates that approximately 8,000 firms are eligible, and officials say they would be happy if 1,000 of those signed up.
Companies have two ways to participate:
They can sign an agreement with DoD to accept and protect the threat information themselves.
They can sign up for an “enhanced” program, which 17 of the 36 defense companies have agreed to join. In the enhanced program, DoD has agreed to share cyber threats directly with ISPs that provide network connectivity to defense companies. The ISPs then scan and intercept threats before they reach the defense firm.
Under that part of the enhanced program, the Department of Homeland Security hosts the centralized database of current threats and makes it available to ISPs that have signed up to participate. ISPs have to meet the same standards for secure facilities and cleared personnel that apply to anyone else who handles classified information, Rosenbach told reporters on a Monday conference call.
“We think that makes it less likely that the information would leak or that intelligence agencies of another agency could get to it, because it’s held in fewer places,” he said. “The advantage of this model is that we can provide the information for an enhanced service to the ISPs, but we don’t necessarily have to pass the information itself on a widespread basis. We’re just using the power of the network and the Internet itself to provide a little bit of additional protection.”
Trust must be established
Rosenbach said the ISPs would offer that detection as a fee-based service. Three providers are participating so far, though DoD officials declined to identify them. He said the pilot phase of the program demonstrated that the concept of sharing threat information with industry works well in concept and had indeed succeeded in stopping cyber attacks.
DoD believes a lot of pent-up demand by defense companies to join the program exists. More than 250 companies who were not part of the pilot had asked to join but were prevented from doing so by the 36-company cap, said Richard Hale DoD’s deputy chief information officer for cybersecurity. “But we kept points of contact for all of those companies. We sent emails to all of them on Friday, and we’ve already started to see responses back,” he said. “But I think it’s too early to tell how quickly companies are going to actually apply for the program.”
Rosenbach said that while the technical efforts in setting up the information sharing effort were difficult, the much more challenging problems surrounded establishing trust, both between industry and government, and among federal agencies themselves.
“Those trust relationships really improved over the course of the [pilot] program, and the first, just to be candid, was the trust relationship between DHS and DoD. We’re at a point now where we really are back-to-back and we work very closely together,” he said. “I think the roles we’ve designed in the program are really quite good. DHS has the lead with the Internet Service Providers, but DoD maintains the lead in working with the DIB companies. I think that’s working very well. The other is the relationship between the firms and the government. One thing about DHS is that their capacity as an organization and their leadership has really improved dramatically. They get a bad rap for not being able to do a lot of the things in the cybersecurity space. I think that reputation is unfair. They are really equal partners in this cybersecurity arena.”
DoD said the project with defense companies could eventually scale up to protect systems that go beyond just the world of defense secrets, Rosenbach said.
“This is something we’re pretty proud of. I think it offers the potential to protect critical infrastructure as well if that’s something that the White House decides. This could play an important role in the strategic defense of the country,” he said.