As hackers and hostile nations launch increasingly sophisticated cyberattacks against U.S. defense contractors, the Pentagon is extending a pilot program to help protect its prime suppliers.
That program could serve as a possible model for other government agencies. It is being evaluated by the Department of Homeland Security, as part of a potential effort to extend similar protections to power plants, the electric grid and other critical infrastructure.
Efforts to better harden the networks of defense contractors come as Pentagon analysts investigate a growing number of cases involving the mishandling or removal of classified data from military and corporate systems. Intrusions into defense networks are now close to 30 percent of the Pentagon’s Cyber Crime Center’s workload, according to senior defense officials. And they say it continues to increase.
The Pentagon’s pilot program represents a key breakthrough in the Obama administration’s push to make critical networks more secure by sharing intelligence with the private sector and helping companies better protect their systems. In many cases, particularly for defense contractors, the corporate systems carry data tied to sensitive U.S. government programs and weapons.
So far, the trial program involves at least 20 defense firms. It will be extended through mid-November, amid ongoing discussions about how to expand it to more companies and subcontractors.
“The results this far are very promising,” said William Lynn, the deputy secretary of defense who launched the program in May. “I do think it offers the potential opportunity to add a layer of protection to the most critical sectors of our infrastructure.”
Lynn, who has just left office, said the government should “move as expeditiously” as it can to expand the protections to other vital sectors.
A senior DHS official said no decisions have been made, but any effort to extend the program – including to critical infrastructure – faces a number of challenges.
The official, who spoke on condition of anonymity because the program review is ongoing, said it would be helpful if Congress would pass legislation that explicitly says DHS is responsible for helping private sector companies protect themselves against cyberattack. Also, the legislation should say that companies can be protected from certain privacy and other laws in order to share information with the government for cybersecurity purposes, the official said.
Senior U.S. leaders have been blunt about the escalating dangers of a cyberattack, and have struggled to improve the security of federal networks while also encouraging the public and corporate America to do the same.
“Cyber actually can bring us to our knees,” said Adm. Mike Mullen, chairman of the Joint Chiefs of Staff, adding that at some point the Pentagon may need to develop some type of governing structure similar to how the U.S. and allies monitor and limit nuclear weapons.
Data compiled by the Defense Cyber Crime Center shows that the number of investigations handled by analysts there has more than tripled over the past 10 years. And a growing number of them involve defense contractors – including those participating in the pilot program.
Housed near Fort Meade, Maryland, the so-called DC3 employs about 100 digital examiners who sift through millions of bytes of data in the digital forensics lab. Stacks of hard drives line the shelves, and clear plastic evidence bags are filled with a vast expanse of computer technology – from cell phones and tiny flash drives to IPads, Wii consoles and Nintendo games.
The analysts dissect intrusions, malware and other attacks that have breached or tried to burrow into the defense contractors’ computer systems. And while those investigations are just a small fraction of the lab’s work, the number has grown steadily over the past three years.
The caseload includes about 100 in the past year that involve the defense industrial base. Much of the center’s work is for criminal cases for the military’s investigative branches – including the Army and Navy criminal investigative services and the Air Force Office of Special Investigations.
Cybersecurity expert James Lewis said there will be some tough hurdles in any effort to expand the pilot program to more military contractors or through DHS to other critical infrastructure companies. But he said it can be done.
The Pentagon has multi-million dollar contracts with companies, making it easier to build on those relationships and, if needed, link cyber threat cooperation to future contracts, said Lewis, who is with the Center for Strategic and International Studies.
DHS, however, doesn’t have that type of contracting relationship with electric companies, power generation plants, financial firms or other critical corporations that run vital infrastructure. And the agency would probably need additional Congressional authorities to set up a program similar to the DOD pilot.
“If they move smartly, it could be done in two years. This is not an insolvable problem,” said Lewis. “DHS needs more authorities to oversee the process. And they have to work through antitrust, information sharing and privacy issues.”
The senior DHS official said that just keeping up with the ever-changing cyberthreats is a challenge, making it more difficult to determine the appropriate roles for the government, the companies and the internet service providers.
Both DHS and defense officials acknowledge that funding is another factor that must be worked out. As yet, they said, they don’t know what the exact costs would be and how they would be allocated between the government and the private sector.