The Complex

Pentagon expanding public-private cyber information sharing program

Rather than wait for Congress to pass legislation enabling private companies to send information about cyber attacks to the U.S. government, the Pentagon is expanding a little-known program allowing defense contractors to share information with the government about cyber espionage and attacks against them.

In recent years, U.S. defense contractors have famously been hit by cyber attacks compromising information on high-profile weapons systems, such as the $1.5 trillion F-35 Joint Strike Fighter program. In the case of the F-35, the attacks have led to costly software redesigns and production delays.

To remedy this, the Defense Industrial Base Cybersecurity and Information Assurance (DIBCIA) program was established several years ago as a voluntary partnership between defense contractors with security clearances and the government, aimed at sharing information on cyber threats and even providing companies with assistance from U.S. intelligence agencies in defending against cyber threats.

Now, the Pentagon is opening up DIBCIA to a broader swath of companies.

"If you're a Defense Department contractor with a facility clearance, we want to share classified threat information with you," said Richard Hale, the Pentagon's deputy chief information officer for cyber during a Sept. 27 cybersecurity conference in Washington. "It's a voluntary program. We'll share with you, you share with us. We also have a second part of that program that allows you to get security services from a service provider that's getting classified information and using it to protect you."

DoD is now working with the Department of Homeland Security to develop a similar program that would allow companies responsible for maintaining critical infrastructure -- banks, utilities, Internet service providers, etc. -- the ability to share information on cyber threats with DHS.

"We're teamed closely with [the Department of Homeland Security] to see if DHS can expand this model out to other critical infrastructure," said Hale.

This comes as Pentagon officials revealed that they plan to work with private companies to develop incentives to meet high standards to defend against cyber attacks via counterfeit or compromised electronic parts in their supply chain (this is either a major threat or completely overblown, depending on who you ask).

So far, these efforts between DoD and defense contractors to share information and defend against cyber threats have been "enormously successful," Eric Rosenbach, deputy assistant secretary of defense for cyber policy told Killer Apps earlier this month.

Rosenbach went on to describe the part of the information-sharing subset of DIBCIA whereby U.S. intelligence agencies analyze cyber threats on behalf of defense contractors via something called the Defense Enhanced Cybersecurity Service, (DECS).

"We wanted to create a new model for trying to protect information, so we are using specialized [threat] signatures [known to] the intelligence community, giving them to Internet service providers, who then screen the Internet service traffic" to protect defense companies who subscribe to the service, said Rosenbach.

He insisted that the intelligence community does not see the actual web traffic -- and therefore private citizens' information -- running across the networks of Internet service providers (ISPs); it merely gives information and analysis about malicious signatures to the providers who can be on the lookout for them.

"The part that's unique is the intelligence community involvement, just giving them the signatures. The intelligence community does not scan the traffic, see the traffic, see any of the results of scanning, so they're completely separate. They just give the special sauce, so to speak," said Rosenbach, referring to the information on advanced cyber threats given by intelligence agencies to the ISPs.

Defense contractors pay for this service and "the only thing that the government provides [is the analysis of] these specialized signatures and the ISPs are responsible for making sure it all runs," added Rosenbach.

Those signatures are "basically a string of numbers in hexadecimal format that's mostly unintelligible unless it's read by a machine or an antivirus program," said Rosenbach. "That type of information, technical information, is what's most valuable to information sharing. It's not the personally identifiable information that we're interested; it's the type of information that could help you stop an attack if you know what you're looking for."

DECS, the part of the program aimed at sharing the threat signatures with intelligence agencies, "ran in pilot mode" for several years and was finally cleared to expand in the spring of this year, DoD Chief Information Officer Teri Takai told Killer Apps during the same interview as Rosenbach.

"It's something we think could be expanded to possibly work for protecting critical infrastructure and other parts of the federal government," said Rosenbach.

"We've got a queue of companies that are interested in joining, we've got other federal agencies that are interested in coming aboard, and we've got other federal agencies that are interested in either using our program or creating a similar program," added Takai.

Congress has repeatedly tried and failed to pass legislation that would allow and encourage private companies to share information about cyber security threats with the U.S. government. Many of these bills have been met with strong opposition from civil liberties groups -- and in some cases the White House -- who claim that companies could unnecessarily gather and share private information about U.S. citizens with the government, in the name of cybersecurity. Supporters of these bills argue that real-time information sharing between critical infrastructure providers and the government is required to defend against advanced cyber threats.

Wikimedia Commons, Camila Ferreira & Mario Duran

National Security

DoD officials worried about built in cyber attacks

Current and past Pentagon officials today suggested that the government should incentivize defense contractors, banks, utility companies, and Internet service providers to strengthen their defenses against attacks that exploit vulnerabilities in the global supply chain.

"We're now worried [about] the integrity of the products coming into our global supply chain that might compromise businesses' confidentiality or the overall availability of those essential services," said Melissa Hathaway, a former cybersecurity official under both the George W. Bush and Barack Obama administrations.

What's that mean? It means that defense contractors and other so-called "critical infrastructure" providers, which use components made around the world, may well be in danger of buying counterfeit or compromised electronic parts. Fake parts such as microchips can be substandard and fail easily -- a nightmare for anyone in, say, the defense industry -- or they can be deliberately infected with spyware or a backdoor allowing an enemy to take over a piece of equipment.

"Products are being built, delivered, maintained, and upgraded all around the world, and they are vulnerable to opponents who wish [their end users] harm," said Hathaway during a speech at the Potomac Institute for Policy Studies today. This global supply chain "provides adversaries, or these opponents, with greater opportunities to manipulate the product from design through its entire life cycle" and may give those adversaries "access to those particular networks" in which the bogus or compromised parts have been installed.

The problem of counterfeit electronics in Defense Department supply chains is nothing new, but previous worries centered on concerns about those products being poor quality and failing while being used on weapon systems ranging from airplanes to submarines. But, now, the threat of parts designed to actually spy on or cause harm to U.S. products may be coming to fruition.

"There are certainly -- we've seen instances" of nefarious electronics, said Brett Lambert, deputy assistant secretary of defense for manufacturing and industrial base policy -- i.e., the Pentagon's man in charge of making sure its supply chain is safe -- when asked if DoD has discovered chips with built-in backdoors that could allow someone to spy on or take over the system that the part is embedded in.

So how do you protect against counterfeits in a world where weapons systems are made up of parts from dozens of countries?

One word, incentives, came up again and again during today's event. It seems the Pentagon has learned from Congress' recent failure to enact cyber security legislation that contained minimal security regulations. The bill elicited howls from Republicans and businesses, which claimed requirements would stifle business.

"I think the market tends to work pretty well. The market does tend to be, in many cases, self-correcting," said Lambert at the Potomac Institute event. However, "we can't always wait around for the market to self correct without some incentives."

Rather than imposing "onerous and objectionable" security standards on industry, "we're trying to come up with a reasonable approach where we work with the industrial base and the supply chain first of all to better understand the issues they uniquely face and then figure out what levers we have in the government whether they be on the incentive side via tax credits" or other methods.

One of the ideas floated repeatedly during the forum was giving tax breaks to companies whose products meet certain security standards -- similar to the way firms now receive tax credits for meeting environmental standards.

"We're really looking at incentives not disincentives," added Lambert. "My personal opinion is that strict regulations and restrictions when you talk about technologies never really work over a long period." Instead, they tend to stifle the agility and innovation required for industry to stay competitive in the technology arena, he said.

Dennis Bartko, special assistant for cyber to Gen. Keith Alexander, director of the National Security Agency, weighed in saying that while the agency doesn't come up with policy and regulations, "having some set of standards however that is, [so] that folks can know what good [security practices are] and what is the mark to shoot for seems to us to be really important. How one takes those standards and either incentivizes or moves to make progress in there is the subject that's up for a lot of debate right now."

The government should work with industry to "assist in crafting the commercial standards which drive the technology engine and [apply] those when appropriate" rather than dictate its own regulations "where we may finding ourselves coming up with great standards but alienating the very technological edge that we're seeking to obtain," added Lambert.

Wikimedia Commons