The joint DoD-DHS program that provides defense contractors with protection from bad cyber actors identified by U.S. intelligence agencies has actually shrunk, contrary to the Pentagon's earlier insistence otherwise.
The Defense Enhanced Cybersecurity Services (DECS) program has been touted as one way that the U.S. government can partner with private "critical infrastructure providers" to boost their online defenses. Under DECS, businesses pay their Internet service providers (ISPs) a fee to receive extra protection from specific threat signatures that have been identified by American spy agencies as being malicious. (Those signatures -- collected via secret means -- are given to the ISPs by the U.S. government.)
The program ran in pilot mode for nearly two years with 17 member companies subscribing, and it was opened up to a broader swath of companies last month.
However, several weeks ago, Rep. Mike Rogers (R-Mich.), chair of the House intelligence committee claimed that, while DECS is a good idea, the program has been shrinking, something the Pentagon denied. Until now.
"At the end of the operational pilot, one of the commercial service providers withdrew," a Pentagon spokesman explained in an Oct. 24 email. "During the operational testing of the pilot, five of the 17 DIB companies chose to withdraw and reallocate their resources to other corporate priorities."
That leaves 12 companies that are participating in the DECS program. Four of the five companies that quit during the pilot are considering rejoining a modified version of the program, according to DoD. These companies would cut out the ISPs as middlemen and receive threat signatures straight from the government, allowing them to monitor their own networks without paying the ISPs.
"Four of the five companies that withdrew are now reviewing the documentation for the permanent DECS component to determine whether to become an operational implementer, wherein they would be authorized to implement the services for their own networks," reads the email.
The Pentagon explained its earlier insistence that the DECS program still had 17 members by saying that since the program involves relationships between the defense contractors and ISPs, it did not receive updates on how many companies where actually participating.
"Under DECS, the services are primarily a relationship between the companies and their commercial service providers," reads the email. "Participating companies are not obligated to report data about their participation on a regular basis. When DoD responded to queries from the press on the number of companies that were participating in the program early last week, DoD used the best information available at the time. Subsequent further direct engagement with each company resulted in the more specific count above. To support House Permanent Select Committee on Intelligence (HPSCI) inquiries, DoD contacted each of the original 17 pilot participants for feedback and status."
Meanwhile, the larger initiative to which DECS belongs -- the Defense Industrial Base Cybersecurity Assurance (DIB CS/IA) program -- has been growing as advertised since it was opened to a large number of defense companies in May 2012, according to the Pentagon. DIB CS/IA allows for information-sharing about cyber threats between defense companies and the government.
"Since May 2012, the DIB CS/IA program has expanded from 34 to 65 companies, with new companies joining every week," read the spokesman's email. "In addition, since DoD recently finalized the processes for DIB CS/IA participants to join DECS, DoD continues to inform DIB companies of the availability of the services offered in the baseline DIB CS/IA program and the enhanced services under DECS."
Department of Defense