WASHINGTON (Reuters) - Up to 8,000 companies doing business with the Pentagon may be qualified to join a newly expanded U.S. effort to guard sensitive information on private networks, a senior Defense Department official said Monday.
The Pentagon on Friday invited all of its eligible contractors to join the voluntary pact aimed at fighting what U.S. officials have described as growing cyber threats that allegedly originate, above all, in Russia and China.
The Defense Department will provide intelligence-derived information on malicious Internet traffic to the companies; the firms are to share information on any cyber penetrations of their networks with the government.
“We think there are as many as 8,000 that are already cleared and could be participants in the program,” Richard Hale, the department’s deputy chief information officer, said in a teleconference.
Perhaps 1,000 companies are expected to take part in the permanent new program initially and if it grows beyond this, “We would be pleased,” he said.
The trial program began in 2007 and had been capped until last week at 36 participants. Of the three dozen, 17 had opted for an enhanced effort, begun about a year ago, under which their Internet service providers scanned their incoming traffic based on information provided by the National Security Agency, the communications-intercepting Pentagon arm.
Eric Rosenbach, deputy assistant secretary of defense for cyber policy, said companies that make up the so-called defense industrial base had been under “unrelenting attack from sophisticated actors trying to steal intellectual property and sensitive information.”
The service was not intended as a “silver bullet” to thwart cyber threats but a promising link of public and private interests, he said. He added that it could be readily scaled to help guard crucial U.S. infrastructure - power grids, financial networks, transportation services - if a decision to do so were made by the White House.
Three Internet service providers currently are providing filtering and remediation services using specialized intelligence on a pay-for-service basis, Rosenbach told the teleconference.
He declined to name the trio, citing what he called their preference in the matter. The intelligence information involved was relayed by the Defense Department to the Department of Homeland Security, which is responsible for dealing with the service providers, Rosenbach said.
Verizon Communications Inc is participating, Richard Young, a company spokesman, said by email. AT&T Inc and CenturyLink Inc - the two others widely reported to round out the group - did not return requests for comment.
Rosenbach said no “personally identifiable information” was being passed back to the government by the providers of the enhanced cybersecurity service.
The basic service is a kind of alert to cyber threats and suggestions for remedying them. To be eligible, a company must be cleared by the Pentagon to store classified information on its networks and premises up to at least the “Secret” level.
Privacy and civil liberties had been front and center during development of the program, reviewed by the Justice Department and by privacy experts within the U.S. government, Rosenbach said.
The cyber threat to U.S. aerospace, defense and other high-technology companies is increasing at “a rapid and accelerating rate,” Rear Admiral Samuel Cox, director of intelligence for the military’s Cyber Command, told a conference last month.
The Office of the National CounterIntelligence Executive, a U.S. intelligence arm, said in an unclassified report to Congress in October that China and Russia were in the forefront of keyboard-launched theft of U.S. trade and technology secrets.
Reporting By Jim Wolf; editing by M.D. Golan