DOD Expands Contractor Cyber-threat Protection Program

WASHINGTON, May 11, 2012 — The Defense Depart­ment is expand­ing one pilot pro­gram and enhanc­ing anoth­er, both of which involve shar­ing cyber-threat data with cleared defense con­trac­tors who work with DOD intel­lec­tu­al prop­er­ty, senior defense offi­cials said yes­ter­day.

Here you can find more infor­ma­tion about Cyber War­fare

Richard A. Hale, deputy chief infor­ma­tion offi­cer for cyber secu­ri­ty, and Eric Rosen­bach, deputy assis­tant sec­re­tary of defense for cyber pol­i­cy, dis­cussed both efforts dur­ing an inter­view with the Pen­ta­gon Chan­nel and Amer­i­can Forces Press Ser­vice.

“The defense indus­tri­al base Cyber Security/Information Assur­ance Pro­gram is a pub­lic-pri­vate part­ner­ship that DOD began in order to bet­ter pro­tect DOD infor­ma­tion that lives out­side DOD,” Hale said.

“We start­ed the pro­gram in an attempt to share cyber-threat data with these com­pa­nies in a way that allowed the com­pa­nies to act on that infor­ma­tion imme­di­ate­ly,” he added.

In part­ner­ship with the Depart­ment of Home­land Secu­ri­ty, DOD announced these devel­op­ments in defense indus­tri­al base, or DIB, cyber-secu­ri­ty activ­i­ties.

In a press release about the pro­gram, Deputy Defense Sec­re­tary Ash­ton B. Carter said expand­ing the vol­un­tary shar­ing of infor­ma­tion between DOD and the defense indus­tri­al base is “an impor­tant step for­ward in our abil­i­ty to catch up with wide­spread cyber threats.”

After a four-year DIB cyber-secu­ri­ty pilot with 37 cleared com­pa­nies, Hale said, the pro­gram is now avail­able to all DIB com­pa­nies that have facil­i­ty secu­ri­ty clear­ances.

“What DOD shares with these com­pa­nies is unclas­si­fied and clas­si­fied cyber-threat infor­ma­tion,” Hale said. “The pro­gram is vol­un­tary and … if the com­pa­nies choose they can share cyber-inci­dent data back with DOD, includ­ing sam­ples of mali­cious code that the com­pa­nies find in their net­works.”

DOD uses that infor­ma­tion to alert par­tic­i­pat­ing com­pa­nies as well as the rest of the fed­er­al gov­ern­ment to sig­na­tures of the cap­tured mal­ware.

To par­tic­i­pate in the pro­gram, Hale said, com­pa­nies go to the Defense Indus­tri­al Base Cyber Security/Information Assur­ance Program’s pub­lic web­site to down­load and exe­cute with DOD a frame­work agree­ment that sets rules and respon­si­bil­i­ties for DOD and the DIB com­pa­nies.

“Once there’s a for­mal agree­ment in place, DOD extends DIBNET and a clas­si­fied ver­sion of DIBNET to the com­pa­ny and begins shar­ing infor­ma­tion,” Hale said. “And the com­pa­nies, if they choose to, start shar­ing inci­dent data back with DOD.”

The oth­er DOD infor­ma­tion-shar­ing effort is an exten­sion of this base­line pro­gram, Rosen­bach said, called DIB Enhanced Cyber Secu­ri­ty Ser­vices. The pilot has been oper­a­tional for a year, with a few-dozen par­tic­i­pat­ing DIB com­pa­nies.

“We think … it’s the first mod­el like this in the world where the gov­ern­ment works with the pri­vate sec­tor in a very proac­tive way to do some­thing to pro­tect pri­vate-sec­tor firms — in this case the defense indus­tri­al base, from advanced cyber-secu­ri­ty threats,” he said.

The spe­cial­ized infor­ma­tion DOD is pass­ing to the DIB com­pa­nies through this extend­ed pro­gram “is not some­thing that’s avail­able in the pri­vate sec­tor,” the deputy assis­tant sec­re­tary said, “so there’s addi­tion­al val­ue that low­ers the risk of cyber attack to these defense indus­tri­al base firms.”

The extend­ed pro­gram works, he added, “by tak­ing all these spe­cial­ized codes derived from cyber threats [and] giv­ing them to [the Depart­ment of Home­land Secu­ri­ty], which then sends them to an Inter­net ser­vice provider. Then the Inter­net ser­vice provider takes this spe­cial code, known as a sig­na­ture, and scans the company’s Inter­net traf­fic to see whether it hits.”

The par­tic­i­pat­ing com­pa­nies pay the Inter­net ser­vice provider a fee for this ser­vice.

Two spe­cif­ic coun­ter­mea­sures are “a type of fil­ter for all the par­tic­i­pants,” Rosen­bach said, not­ing par­tic­i­pants’ “Inter­net traf­fic goes through that fil­ter and then it’s to some degree fil­tered or cleansed before it gets to the firm itself.”

The extend­ed pro­gram, he said, “is a lit­tle bit dif­fer­ent from what we had been doing up to this point because it’s active — it’s actu­al­ly using the pow­er of the net­work and the Inter­net ser­vice provider to scan the traf­fic.”

In the past, he added, they passed on the threat infor­ma­tion but no scan­ning was being done.

“It’s not the ’sil­ver bul­let’ for all cyber secu­ri­ty,” Rosen­bach said. “It’s just one addi­tion­al tool that you’d use if you might be hit by a threat.”

Accord­ing to Hale, par­tic­i­pat­ing com­pa­nies are hap­py with the pro­gram.

“The feed­back I get from the com­pa­nies who are par­tic­i­pat­ing right now is that the shar­ing of infor­ma­tion and then the inter­ac­tion with the gov­ern­ment [and] … with oth­er defense indus­tri­al base cyber-secu­ri­ty pro­gram par­tic­i­pants has raised all boats,” he said.

“Not only do they get imme­di­ate­ly action­able infor­ma­tion when the gov­ern­ment shares this infor­ma­tion with the com­pa­nies,” Hale added, but the com­pa­nies have devel­oped best prac­tices they’ve shared with each oth­er and with the fed­er­al gov­ern­ment.

“That has tend­ed to raise both the government’s and the industry’s cyber-secu­ri­ty prac­tices,” Hale said.

U.S. Depart­ment of Defense
Office of the Assis­tant Sec­re­tary of Defense (Pub­lic Affairs)