(Adds comments, reaction, analysis)
By Jim Wolf
WASHINGTON May 11 The U.S. Defense Department
invited all of its eligible contractors on Friday to join a
previously restricted information-sharing pact aimed at guarding
sensitive Pentagon program data stored on private computer
Greater sharing with the so-called defense industrial base
was a key step to coping with widespread cyber threats to U.S.
national security, said Ashton Carter, deputy defense secretary,
in a statement.
"Increased dependence on Internet solutions have exposed
sensitive but unclassified information stored on corporate
systems to malicious probes, theft and attacks," he said.
The blanket invitation follows a pilot, known as the Defense
Industrial Base Cyber Security/Information Assurance Program,
that involved fewer than 40 volunteer companies.
Those eligible to join the public-private partnership must
have met requirements for safeguarding classified information at
least at "Secret" level, said a Defense Department official
familiar with the matter.
More than 2,000 companies qualify and the membership rolls
will be expanded on a first-come, first-served basis, the
At the program's entry level, the Pentagon will give
participants unclassified "indicators" and classified
"contextual information," as well as suggested measures for
addressing cyber threats.
The companies, for their part, must report attempts to
pierce their networks and participate in government damage
assessments if needed, according to newly released documents
about efforts to shore up contractors' network security.
An add-on option would provide enhanced government
cybersecurity services to participants and their commercial
Internet service providers, including classified threat and
YEARS IN MAKING
The information-sharing model has been years in the making,
notably because it involves sensitive non-public information,
including trade secrets, which must be protected to preserve the
Volunteer companies must sign a standardized bilateral
framework pact that calls for sharing "to the greatest extent
possible" for the clearest understanding of cyber threats,
according to an interim final rule published Friday in the
Federal Register (here).
"This will allow the company to improve defense and
remediation efforts and allow the government to assess the
damage or impact to defense information and programs entrusted
to the company," the document said.
The cyber threat to U.S. aerospace, defense and other
high-technology companies is increasing at "a rapid and
accelerating rate," Rear Admiral Samuel Cox, director of
intelligence for the military's Cyber Command, told a forum last
The Office of the National CounterIntelligence Executive, a
U.S. intelligence arm, said in an unclassified report to
Congress in October that China and Russia were in the forefront
of keyboard-launched theft of U.S. trade and technology secrets
to bolster their fortunes at U.S. expense.
Expansion of the cyber-sharing program, which began in 2007,
would let the Defense Department's communications-intercepting
National Security Agency share sensitive data with a greater
range of private companies and gather more valuable information
from them to help fight the threat.
The initial effort provided for sharing of cyber
threat-related intelligence only up to the "Secret" level. Last
year, the Defense Department added more sensitive classified
information to the pilot group while working out procedures and
rules for the broader base.
The Department of Homeland Security also will be involved in
the expanded information-sharing program, the Pentagon said,
without providing details on their inter-agency cooperation
Tom Goldberg of American Technology Specialists, an
information technology support provider to small business,
said the expansion was an essential first step, but more was
needed to boost Pentagon contractors' cybersecurity.
"Much of the equipment used today comes equipped with
back-doors, trap-doors and Trojan horses directly from the
factories where they are made," he said.
Jason Healey of the Atlantic Council research group, who has
worked on cybersecurity for the White House and Goldman Sachs,
questioned whether the paperwork and other burdens would pay
"The DIB pilot probably increases the defenders' work factor
much more than it increases the attackers," he said. "This is a
lot of work and a lot of taxpayer dollars for something that has
apparently not proven it can increase security more than on the
(Additional reporting by Andrea Shalal-Esa. Editing by Steve
Orlofsky and Bernadette Baum)