The Complex

Is the Pentagon and DHS' cyber info sharing program really shrinking?

The Pentagon's effort to exchange data about cyber threats with defense contractors -- dubbed the Defense Industrial Base (DIB) program -- has actually been losing participants since it was expanded to include the Department of Homeland Security, according to Rep. Mike Rogers (R-Mich.).

"They gave DHS responsibility to [expand] from the 20 in the DIB pilot, the 20 original companies working through the Department of Defense whose mission it was to kind of get this information-sharing thing up and running to see if we could actually do it and if it was scalable," said Rogers during a speech yesterday at the U.S. Chamber of Commerce, where he questioned DHS's ability to be the lead federal agency in defending privately owned critical infrastructure from cyber attack.  

"The president said about a year ago that we want to have a thousand companies engaged in the DIB pilot. That was about a year ago. This oughta say everything we need to know . . .  guess how many companies we have participating?" asked Rogers. "I'll tell you: less than 20. We've lost somewhere between five and seven companies, no gains, no effort to get more people involved."

Rogers' comments come on the heels of assertions by several Pentagon officials who say that companies are lining up to join the program that was expanded out of pilot mode last spring.

"If you're a Defense Department contractor with a facility clearance, we want to share classified threat information with you," Richard Hale, the Pentagon's deputy chief information officer for cyber said on Sept. 27 of DoD's efforts to expand the program with DHS. "It's a voluntary program. We'll share with you, you share with us. We also have a second part of that program that allows you to get security services from a service provider that's getting classified information and using it to protect you."

"We're teamed closely with [the Department of Homeland Security] to see if DHS can expand this model out to other critical infrastructure," added Hale.

Hale's comments echoed those of his boss, DoD's chief information officer, Teri Takai.

"We've got a queue of companies that are interested in joining, we've got other federal agencies that are interested in coming aboard, and we've got other federal agencies that are interested in either using our program or creating a similar program," said Takai while discussing the program with Killer Apps in early September.

Rogers made his criticisms during the same speech in which he claimed that a newfound cyber threat may prompt lawmakers to consider passing legislation that would allow private companies to quickly share information about cyber threats with the federal government without fear of being sued for misusing U.S. citizens' private information.  Numerous pieces of legislation aimed at allowing the government and private sector to quickly share information (including Rogers' CISPA) about cyber threats were defeated in the last year amid protest from a range of privacy advocates

DoD tells Killer Apps it is looking into Rogers' comments, with one spokesman saying, "This is the first I'm hearing that the DIB program is struggling for members."

National Security

Mike Rogers is trying to revive CISPA

In light of what in is opinion is a new cyber threat, the chair of the U.S. House Intelligence Committee is making a last ditch push to pass controversial cybersecurity legislation before the end of the year.

"There was a very good meeting with some members of the Senate, some briefings on what appears to be a new level of threat that would target networks here from an unusual source that has some very real consequences if you are not able to deal with it," said Rep. Mike Rogers (R-Mich.) during a speech at the U.S. Chamber of Commerce today. "Because of that particular brief, I think it rekindled peoples' interest in trying to get something done here in lame duck."

When asked for more information about the new threats, Rogers wouldn't say much other than it's a country that isn't traditionally viewed as a major cyber threat.

"There are new capabilities coming online every day, so the Chinese are great at stealing information and you have other nation-states that are just developing capabilities to do attacks or denial of service, so you can imagine, our concern is nation states are developing capability to do just that beyond the normal group of [countries] that we often talk about" attacking the United States, said Rogers.

The bill would be a "rekindling" of the Cyber Intelligence Sharing and Protection Act, or CISPA.

CISPA passed in the House in April 2012 but failed to advance in the Senate amid opposition from privacy advocates such as the ACLU, the Electronic Frontier Foundation, the Mozilla Foundation (the creators of Firefox), and even Tim Berners Lee, one of the founding fathers of the Internet.

"The only bill that is bipartisan, that's passed a committee, vetted through a committee, that has had hours and hours and hours of input from end users -- the business community and government folks who are charged with the responsibility to implement it -- is this bill," said Rogers of CISPA.

The bill would allow the government to share intelligence about online threat signatures with companies and allow companies to quickly notify the government when they believe they are under attack without fear of being sued for improperly sharing customers' private information.

"Given this new round of, I would argue new threats, that maybe we can move forward and get the Senate to move a little bit," said Rogers, urging fellow lawmakers to pass information sharing legislation and push any work on bills aimed at mandating minimum cybersecurity standards for banks, utilities, transportation companies, and Internet service providers and other "critical infrastructure" providers to next year.

Congress' most recent attempt at cybersecurity legislation that contained provisions on information-sharing -- the Cybersecurity Act of 2012 (CSA) -- was shot down in August by Republican senators opposed to the minimal security standards that it required of critical infrastructure providers.

"Given the recent rounds of what I would argue are new threat information, I think at least revitalized discussions between the Senate and the House on possibilities for the way forward" for "moving a sharing portion [of legislation] during the lame duck," said Rogers. 

If the information isn't shared in "real-time, it doesn't work," said Rogers after his speech.

Rogers went on to join fellow lawmakers in knocking the White House's executive order on cybersecurity that is in the works. Rogers lamented the White House's lack of outreach to Congress and the private sector in the crafting the order.

"This is a huge problem. They've taken no private sector input that we can find, they haven't taken any input [from Congress] and we've spent almost two years studying all of this problem, we've got great data, and this was a bipartisan effort...we've got reams of material, nothing," said Rogers.

Earlier this week, Sen. Susan Collins (R-Maine) co-author of CSA 2012, called the executive order a "big mistake."

Meanwhile, Rogers is pressing for the government to produce a classified and unclassified National Intelligence Estimate on the state of cyber threats worldwide.

"Hopefully we can get some solution on that early next year," said the congressman.

While Rogers wouldn't elaborate on the threat, several cybersecurity experts that Killer Apps spoke with said that he could simply be referring to Sen. Joe Liberman's (I-Ct.) claims last week that recent cyber attacks against U.S. banks may be the work of Iran.