In case you missed it, buried inside the 2013 defense authorization
bill is a clause that would require defense contractors to notify the Pentagon any
time they have suffered a "successful penetration."
936 of the bill requires that the Pentagon "establish a process" for
defense contractors that have classified information on their networks to quickly
report any successful cyber attacks against them to the Defense Department.
Contractors must include a description of the "technique or method used in the
penetration," and include samples of the "malicious software, if discovered and
isolated by the contractor," reads the bill.
The bill would also require contractors to give DoD access
to "equipment or information" to determine if any classified "information
created by or for" the DoD had been stolen. It prohibits the Pentagon from
distributing this information outside of DoD without the victim's approval.
(While a limitied number of contractors already participating in DoD's cyber security program known as the DIB CS/IA already tell the Pentagon about such breaches, this law would cover all defense contractors, explained a Pentagon spokesman.)
Sound familiar? That's because this language is similar to
what Sens. Joe Lieberman (I-Ct.) and Susan Collins (R-Maine) wanted utilities, transportation
companies, telecoms and banks to do with the Department of Homeland Security in
the Cyber Security Act of 2012, which failed to advance in the Senate last month.
Advocates say Section 936, authored by Senate Armed Services
Committee chairman Carl Levin (D-Mich) is badly needed given that U.S.
businesses including defense contractors have had reams (billions of dollars
worth, by some accounts) of sensitive data stolen by hackers in China and
Russia. In fact, 2007 and 2008 Lockheed and other defense contractors working
on the F-35 Joint Strike Fighter program (the biggest weapons buy in Pentagon
history) were the victims of large-scale hacks that resulted in classified
information about the jet being stolen, leading to a costly redesign of some of
the plane's systems.
It may be no coincidence that China recently produced a
stealth fighter -- the J-31 -- that looks an awful lot like an F-35.
"This is really important. We shouldn't belittle it -- there's
a lot of this stuff going on," David Smith, director of the Potomac Institute's
Cyber Center, said during a Dec. 4 speech. "We're basically funding the research
and development for the People's Liberation Army and the army of the Russian
Federation and maybe a few others."
During a press conference after the Senate passed its version
of the NDAA this week, Levin said, "I
think it's so obvious that if a defense contractor with classified information has
their networks penetrated and attacked, that the government has to know about that."
John McCain (R-Ariz.), the top
republican on the Senate Armed Services Committee, echoed Levin's statements,
saying that since defense contractors are spending public money, they should have
to report security breaches.
"It's the taxpayer's dollar," said McCain,
who opposed the Lieberman-Collins bill because he thought that the National Security
Agency, not the civilian DHS, should have the lead in protecting critical infrastructure
from cyber attack. "It's nonsense to think that somehow the government should not
be made aware of" cyber attacks against defense contractors.
U.S. Air Force