The Department of Defense is planning to extend the cyber-defense pilot program in which it shares classified threat intelligence with defense contractors and other companies.
The Defense Industrial Base Cyber-Pilot provides member organizations with classified information about viruses, malware and other cyber-threats to help them defend against sophisticated attacks and network intrusions. The pilot will be extended through mid-November, the Associated Press reported Sept. 26.
So far, the trial program involves at least 20 defense firms. There are discussions as to how it can be expanded to include more companies and subcontractors. The Department of Homeland Security (DHS) is also evaluating the program to provide similar information to defend power plants, electrical grids and other critical infrastructure from cyber-attack.
“The results this far are very promising,” Deputy Defense Secretary William Lynn told AP. “I do think it offers the potential opportunity to add a layer of protection to the most critical sectors of our infrastructure.”
The data collected and shared since the program launched in May has helped stop “hundreds of attempted intrusions” by identifying malware signatures, Lynn said earlier this month.
The Obama administration is interested in this kind of public-private partnership to protect United States defense companies from sophisticated cyber-attacks targeting sensitive information. A senior DHS official told AP that implementing this kind of a program would be easier if Congress would pass legislation explicitly giving DHS the lead role in helping private sector companies secure critical infrastructure.
DHS needs more authority over critical infrastructure and must be able to “mandate” risk-based performance, according to James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. Currently, the Defense Department does not have the legal authority to defend civilian systems, and Homeland Security, which oversees private-sector cyber-security, does not have the power to regulate those systems.
Rep. Dan Lungren, R-Calif., chairman of the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, has proposed creating a United States Computer Emergency Response Team (US-CERT) within DHS that is responsible for protecting federal and critical infrastructure systems and a non-profit organization called the National Information Security Organization that would be managed by the DHS secretary.
The nonprofit organization would have a board of directors comprising a representative from DHS, three representatives from different federal agencies that deal with cyber-security, and five representatives from the private sector that operate networks or facilities that have been deemed critical infrastructure, such as energy, water and communications networks.
There have been a number of high-profile attacks against defense companies this year, including unknown attackers who used information stolen from RSA Security to compromise Lockheed Martin, a March attack in which criminals stole files related to missile tracking systems from a defense contractor and Anonymous leaking information belonging to military personnel.
Intrusions into defense networks are now close to 30 percent of the Pentagon’s Cyber Crime Center’s workload, senior defense officials told AP.
More than 60,000 new malicious software programs or variations are identified every day, “threatening our security, our economy and our citizens,” Defense Secretary Leon Panetta said earlier this year.