UPDATE 2-Pentagon to tighten contractors' cybersecurity
(Adds comments, reaction, analysis)
By Jim Wolf
WASHINGTON May 11 (Reuters) - The U.S. Defense Department invited all of its eligible contractors on Friday to join a previously restricted information-sharing pact aimed at guarding sensitive Pentagon program data stored on private computer networks.
Greater sharing with the so-called defense industrial base was a key step to coping with widespread cyber threats to U.S. national security, said Ashton Carter, deputy defense secretary, in a statement.
"Increased dependence on Internet solutions have exposed sensitive but unclassified information stored on corporate systems to malicious probes, theft and attacks," he said.
The blanket invitation follows a pilot, known as the Defense Industrial Base Cyber Security/Information Assurance Program, that involved fewer than 40 volunteer companies.
Those eligible to join the public-private partnership must have met requirements for safeguarding classified information at least at "Secret" level, said a Defense Department official familiar with the matter.
More than 2,000 companies qualify and the membership rolls will be expanded on a first-come, first-served basis, the official said.
At the program's entry level, the Pentagon will give participants unclassified "indicators" and classified "contextual information," as well as suggested measures for addressing cyber threats.
The companies, for their part, must report attempts to pierce their networks and participate in government damage assessments if needed, according to newly released documents about efforts to shore up contractors' network security.
An add-on option would provide enhanced government cybersecurity services to participants and their commercial Internet service providers, including classified threat and technical information.
YEARS IN MAKING
The information-sharing model has been years in the making, notably because it involves sensitive non-public information, including trade secrets, which must be protected to preserve the program's integrity.
Volunteer companies must sign a standardized bilateral framework pact that calls for sharing "to the greatest extent possible" for the clearest understanding of cyber threats, according to an interim final rule published Friday in the Federal Register (here).
"This will allow the company to improve defense and remediation efforts and allow the government to assess the damage or impact to defense information and programs entrusted to the company," the document said.
The cyber threat to U.S. aerospace, defense and other high-technology companies is increasing at "a rapid and accelerating rate," Rear Admiral Samuel Cox, director of intelligence for the military's Cyber Command, told a forum last month.
The Office of the National CounterIntelligence Executive, a U.S. intelligence arm, said in an unclassified report to Congress in October that China and Russia were in the forefront of keyboard-launched theft of U.S. trade and technology secrets to bolster their fortunes at U.S. expense.
Expansion of the cyber-sharing program, which began in 2007, would let the Defense Department's communications-intercepting National Security Agency share sensitive data with a greater range of private companies and gather more valuable information from them to help fight the threat.
The initial effort provided for sharing of cyber threat-related intelligence only up to the "Secret" level. Last year, the Defense Department added more sensitive classified information to the pilot group while working out procedures and rules for the broader base.
The Department of Homeland Security also will be involved in the expanded information-sharing program, the Pentagon said, without providing details on their inter-agency cooperation agreement.
Tom Goldberg of American Technology Specialists, an information technology support provider to small business, said the expansion was an essential first step, but more was needed to boost Pentagon contractors' cybersecurity.
"Much of the equipment used today comes equipped with back-doors, trap-doors and Trojan horses directly from the factories where they are made," he said.
Jason Healey of the Atlantic Council research group, who has worked on cybersecurity for the White House and Goldman Sachs, questioned whether the paperwork and other burdens would pay off.
"The DIB pilot probably increases the defenders' work factor much more than it increases the attackers," he said. "This is a lot of work and a lot of taxpayer dollars for something that has apparently not proven it can increase security more than on the margins." (Additional reporting by Andrea Shalal-Esa. Editing by Steve Orlofsky and Bernadette Baum)