The Complex

DoD-DHS' info sharing program on cyber threats isn't shrinking (updated)

Last week, Rep. Mike Rogers (R-Mich.) slammed the Pentagon program allowing some businesses to share information on cyber attacks with the government and receive help in defending against those attacks. Rogers claimed that since being expanded to include the Department of Homeland Security, the DECS program (or DIB-pilot project, as it's also known) has been bleeding members.

"The president said about a year ago that we want to have a thousand companies engaged in the DIB pilot. That was about a year ago. This oughta say everything we need to know...guess how many companies we have participating?" asked Rogers during a speech at the U.S. Chamber of Commerce. "I'll tell you: less than 20. We've lost somewhere between five and seven companies, no gains, no effort to get more people involved."

The only problem with his very public statement? It's wrong, according to Pentagon officials, who have been claiming over the last month that companies have been lining up to join the overall DIB program -- called the Defense Industrial Base Cyber Security Information Assurance program (DIB CS/IA).

When we first wrote about Rogers' comments last Friday, a Pentagon spokesman said this was the first he'd heard that any part of the program was struggling. Over the long weekend, we received more info from the Defense Department.

It turns out that specific the subset of the DIB program Rogers was talking about -- officially known as the DIB Enhanced Cybersecurity Services (DECS) program -- didn't have 20 members when it was in pilot mode, it had 17, and it has kept those members.

"The DIB CS/IA program has an optional component, called the DIB Enhanced Cybersecurity Services (formerly the DIB Cyber Pilot), which is a DoD-Department of Homeland Security partnership," wrote a Pentagon spokesman in an email. "In September 2012, DoD made DECS available to all companies participating in the DIB CS/IA program. Seventeen companies participated in the DIB pilot and continue to participate in DECS. Under DECS, DoD, via DHS, provides classified cyber threat information and technical countermeasures to DHS-authorized Commercial Service Provider (CSP), who can then provide a fee-based managed cyber security service to interested DIB CS/IA companies."

(Here's the plain English explanation of DECS: Defense companies who sign up for it -- yes, it's a pay-for-services program -- get protection against cyber threats from their Internet providers. These providers have received information on malicious Internet signatures identified by U.S. intelligence agencies as well as "technical countermeasures" from the intel agencies to defend against these threats.)

So while DECS hasn't grown since being opened up to a broader number of companies last month, it hasn't lost five to seven members as claimed by Rogers.

Keep in mind that the Michigan Republican, who chairs the House intelligence committee, is pushing the Senate to pass a controversial bill allowing for broad information-sharing between private companies and the government in near real-time and protecting them from lawsuits for improperly sharing private citizens' information. Arguing that the Pentagon's current info-sharing program isn't working would only bolster his push for legislation.

According to the same Defense Department spokesman, the overall DIB program (DIB CS/IA) has more than 60 companies and 80 subsidiaries participating, with more applying to join each week.

"DoD opened the DIB CS/IA program to all eligible DIB companies in May 2012 with the publication of a federal rule," said the Pentagon spokesman. "Over 60 companies and approximately 80 wholly-owned subsidiaries now participate in the DIB CS/IA program. New companies apply to join the program each week. DoD estimates that the companies currently participating represent roughly 70 percent of" big defense contractors where DoD spends its weapons buying cash.  

Under the basic DIB CS/IA program, DoD provides defense contractors with classified and unclassified cyber threat information and advice on best practices for keeping their information safe. DIB participants, in turn, report cyber incidents for analysis, coordinate on mitigation strategies, and participate in cyber intrusion damage assessments if information about DoD is compromised.

Update: Rogers office emailed Killer Apps last night strongly disputing the Pentagon's claims that there are 17 companies particpating in DECS.

Here's what his office has to say:

The [House Permanent Select Committee on Intelligence] has heard directly from the telecommunications providers participating in DECS that several companies have left the program since the DIB Pilot Program ended. DoD and DHS confirmed in a briefing last week that of the 17 companies that participated in the original DIB pilot, only 8 remain.

The fact that half of the original companies have voted with their feet and left the program is more evidence that we need to pass an information sharing bill. Even if all 17 original DIB pilot companies were still in the program, it would be nothing to be happy about - this program should already be rapidly expanding to cover thousands of U.S companies throughout the U.S. economy to get them the protection they need from advanced cyber threats like China.

The Department of Defense (DoD) should be very proud of what they accomplished under the DIB Pilot Program, which demonstrated a revolutionary new model for sharing classified cyber threat information with the private sector. Unfortunately, legal and policy obstacles are holding back DoD’s efforts to expand this model – we urgently need to pass an information sharing bill to overcome these obstacles.

DoD meanwhile, tells Killer Apps it stands by its claim that DECS has 17 member companies.

Without a list of member companies, there's no way of knowing who is right, so Killer Apps is moving on.

Department of Defense

National Security

U.S. lawmakers to American companies: Don't do business with Huawei or ZTE

Representatives Mike Rogers (R-Mich.) and Dutch Ruppersburger (D-Md.) unveiled their report accusing Chinese telecomm giants Huawei and ZTE of spying on American companies for the Chinese government today. Bottom line, the report recommends that U.S. businesses, especially those involved in "critical infrastructure," stop buying Huawei and ZTE products until the companies play by the rules.

Rogers, chair of the House Intelligence Committee, claimed during a press conference to unveil the report that Huawei and ZTE are likely breaking the law in the United States -- doing everything from bribing an unnamed company or official to "beaconing," or passing lots of sensitive data about U.S. companies' back to China in the middle of the night (a claim that a Huawei spokesman denied after the press conference until he was nearly red in the face). 

Rogers and Ruppersburger refused to provide more details or evidence about their allegations of wrongdoing other than saying they came from a thorough investigation.

Rogers said that during the lawmakers' yearlong investigation they spoke with everyone from current American employees of the two telecoms -- who were willing to reveal some of their alleged bad behavior -- to Chinese officials from the companies who weren't exactly cooperative, if you ask Rogers.

Rogers said that these firms are not "private entities" but rather are legally bound to conduct the industrial espionage he accused them of on behalf of the Chinese government.

Apparently, the investigation collected enough dirt on Huawei that the FBI is opening an investigation into "a clear case of bribery to get a contract in the United States," according to Rogers.

Among the key recommendations:

 

  • The U.S. government and government contractors shouldn't use anything made by the two companies and the Committee on Foreign Investments in the U.S. (CFIUS) should block any acquisitions, mergers or takeovers involving Huawei and ZTE given their "threat to U.S. national security."
  • U.S. network providers and systems developers should "seek other vendors for their projects."
  • The U.S. government should investigate unfair trade practices, especially illegal Chinese government subsidies to companies like Huawei and ZTE that allow Chinese businesses to undercut their competitors.
  • Chinese companies should become more transparent and responsive to U.S. legal obligations.
  • The U.S. Congress should consider legislation dealing with the risk posed by telecoms with "nation-state ties or otherwise not clearly trusted to build critical infrastructure." Such legislation could involve increasing private companies ability to share information on cyber threats and increasing the CFIUS' ability to review purchasing agreements.

 

Now, here's the unclassified version of the report.

 

Huawei-ZTE Investigative Report (FINAL)