The Complex

Defense bill would require contractors to notify DoD of cyber intrusions

In case you missed it, buried inside the 2013 defense authorization bill is a clause that would require defense contractors to notify the Pentagon any time they have suffered a "successful penetration."

Section 936 of the bill requires that the Pentagon "establish a process" for defense contractors that have classified information on their networks to quickly report any successful cyber attacks against them to the Defense Department. Contractors must include a description of the "technique or method used in the penetration," and include samples of the "malicious software, if discovered and isolated by the contractor," reads the bill.

The bill would also require contractors to give DoD access to "equipment or information" to determine if any classified "information created by or for" the DoD had been stolen. It prohibits the Pentagon from distributing this information outside of DoD without the victim's approval.

(While a limitied number of contractors already participating in DoD's cyber security program known as the DIB CS/IA already tell the Pentagon about such breaches, this law would cover all defense contractors, explained a Pentagon spokesman.)

Sound familiar? That's because this language is similar to what Sens. Joe Lieberman (I-Ct.) and Susan Collins (R-Maine) wanted utilities, transportation companies, telecoms and banks to do with the Department of Homeland Security in the Cyber Security Act of 2012, which failed to advance in the Senate last month.

Advocates say Section 936, authored by Senate Armed Services Committee chairman Carl Levin (D-Mich) is badly needed given that U.S. businesses including defense contractors have had reams (billions of dollars worth, by some accounts) of sensitive data stolen by hackers in China and Russia. In fact, 2007 and 2008 Lockheed and other defense contractors working on the F-35 Joint Strike Fighter program (the biggest weapons buy in Pentagon history) were the victims of large-scale hacks that resulted in classified information about the jet being stolen, leading to a costly redesign of some of the plane's systems.

It may be no coincidence that China recently produced a stealth fighter -- the J-31 -- that looks an awful lot like an F-35.

"This is really important. We shouldn't belittle it -- there's a lot of this stuff going on," David Smith, director of the Potomac Institute's Cyber Center, said during a Dec. 4 speech. "We're basically funding the research and development for the People's Liberation Army and the army of the Russian Federation and maybe a few others."

During a press conference after the Senate passed its version of the NDAA this week, Levin said, "I think it's so obvious that if a defense contractor with classified information has their networks penetrated and attacked, that the government has to know about that."

John McCain (R-Ariz.), the top republican on the Senate Armed Services Committee, echoed Levin's statements, saying that since defense contractors are spending public money, they should have to report security breaches.

"It's the taxpayer's dollar," said McCain, who opposed the Lieberman-Collins bill because he thought that the National Security Agency, not the civilian DHS, should have the lead in protecting critical infrastructure from cyber attack. "It's nonsense to think that somehow the government should not be made aware of" cyber attacks against defense contractors.

U.S. Air Force

National Security

DoD working to reveal more about its cyber spending

If you've been baffled by just what the Defense Department is talking about when it says "cyber," get ready, because DOD is going to try to enlighten you.  

One of the biggest frustrations for anyone dealing with the government and cyber (a word, that to many Americans under 40 is just a silly old term for something people did on naughty chatrooms in the mid ‘90s) is that right now the term encompasses everything from regular IT work, like updating software, to unleashing advanced cyber weapons like Stuxnet that are capable of causing real world damage. This confusion persists even as cyber-everything is set to receive more funding and see more involvement in everything from spy operations to combat.

So, as part of its fiscal year 2014 budget request, the Pentagon will parse cyber operations from traditional IT work -- a move aimed at reducing confusion as to just what types of DOD operations constitute cyber.

"In the upcoming FY14 budget, we are working to provide a more comprehensive funding profile for future cyber activities," a Pentagon spokesman told Killer Apps in an email. "While we consider these activities part of the overall IT budget, we intend to separately identify 'cyber' and 'non-cyber' spending within the IT budget. Such a breakdown will provide further clarity to the Congress and the American people about the Department of Defense's critical support to defending the nation from cyber attacks."

The spokesman went on to point out that cyber operations are only set to increase in importance and funding.

"One of the Department of Defense's highest priorities is increasing innovation and investment in the cyber domain," he wrote.  

As we wrote yesterday, the nebulous definition of just what exactly constitutes cyber operations has confused everyone from the Air Force's top general to the Government Accountability Office. The current, broad definition of cyber is making it difficult for lawmakers and military planners to figure out how to allocate resources into cyber at a time when defense budgets are being slashed.

(On a side note: How many times can you use the word confusion in one article? Answer: A lot if you're writing about cyber.)

Several Air Force generals have pointed out recently that the vast majority of the service's "cyber" resources are currently tied up in mundane IT work. Air Force tech officials hopes to automate day-to-day network maintenance and operations so that the cyber troops can focus on high-end operations such as hunting for enemy hackers, conducting online spying, and developing cyber weapons.

U.S. Air Force