Stalled cybersecurity decision keeps Lockheed on hold
Internet providers such as Verizon Communications Inc. and defense contractors including Lockheed Martin Corp. say they’re waiting for the government to set the terms for an initiative intended to bolster corporate cybersecurity by sharing classified intelligence.
President Barack Obama’s administration may expand to banks and utilities a Pentagon pilot program testing how Internet- service providers can use classified data to protect defense contractors from online threats. Among unresolved issues is how much customers would have to pay providers for services that draw on the U.S. intelligence.
“There is a cost to doing this type of security operation, but the way the program will be funded has not been determined,” Marcus Sachs, vice president of national security policy for Verizon, said in an interview. Expenses include personnel, equipment and software installation, he said.
Questions about how much an expanded program might cost the government or companies may influence debate in Congress over cybersecurity legislation that calls for expanded sharing of threat data. Republican lawmakers have touted information- sharing as a cheaper alternative to imposing federal requirements on companies running systems considered essential to national and economic security.
The outcome may influence the global market for cybersecurity services, projected to reach $80 billion by 2017, according to Global Industry Analysts Inc., a San Jose, California-based research firm.
The U.S. government is trying to prevent hacking attacks originating in countries throughout the world from causing severe economic or national security damage. The U.S. charged one Russian and six Estonians in November with operating a criminal hacking ring that infected 4 million computers in more than 100 countries, including 500,000 domestically.
The Homeland Security Department was given control of the Cybersecurity Services Pilot project in December after the National Security Agency’s bid to lead the initiative was spurned by the Obama administration.
“The approval to go forward and expand it to more companies and other sectors is not done,” Dale Meyerrose, vice president at Harris Corp. and former chief information officer for the U.S. Director of National Intelligence, said in an interview. “There’s a debate and appropriate discussion on all sides on how to expand it.”
If the project takes off, it could set up a competition between defense contractors and Internet-service providers, according to Alan Paller, director of research at the SANS Institute, a computer-security training company based in Bethesda, Maryland.
“There’s a war between them about who’s going to get the money,” Paller said in an interview.
The effort is at a standstill as the administration and Congress debate whether the program will be voluntary or made mandatory for some companies deemed vital to economic or national security.
Those decisions may determine how companies such as New York-based Verizon or Lockheed participate, what services they would offer and at what cost, as well as the size of the potential market.
“You can’t have an affordability discussion unless the U.S. government declares what the market is and who could provide it and who can actually consume it,” Chandra McMahon, chief information security officer at Bethesda, Maryland-based Lockheed, the world’s largest defense contractor, said in an interview. Lockheed participated in the Pentagon-led effort on information-sharing and also provides cybersecurity services to U.S. agencies.
Verizon, the second-largest U.S. phone carrier after AT&T Inc., said it is providing cybersecurity services to companies while the government works on expanding the program.
Companies want the government to clarify the participating industries and commit to making classified cyberthreat information available over the long term, according to a study of the pilot program by Carnegie Mellon University in Pittsburgh, Pennsylvania. The report completed in November hasn’t been publicly released.
No decision has been made whether to expand the program beyond the defense industry or on the rules for who can participate and how information will be shared, Bruce McConnell, cybersecurity counselor at the Homeland Security Department, said in an interview.
The department would like to design a program that can grow while ensuring “a fair, level playing field for everyone who wants to participate,” McConnell said. While no timeline has been set for a final decision, he said the administration is moving forward “through a deliberative process.”
The department wants Congress to pass cybersecurity legislation clarifying legal authority for the government and companies to share information, McConnell said. Legislation pending in Congress would shield companies from lawsuits when they receive and share information on cyberthreats.
“It would provide legal certainty for the companies to take that issue off the table,” McConnell said.
The department decided when it took over the program that Internet-service providers could charge their customers for services. It also gave participating companies the option to bypass Internet providers and receive classified intelligence directly from the government, as long as they had the ability to protect the data.
McConnell likened the model to that of the National Weather Service. In some cases, companies take weather data compiled by the government and add value before selling the information for profit.
“The government has a lot of experience with that kind of a business model and it can be a good division of responsibilities,” McConnell said.
A Senate bill that may come up for a vote in early March would give the Homeland Security Department authority to set regulations requiring companies to protect vital U.S. computer networks.
Lawmakers such as Representative Mike Rogers, a Michigan Republican who heads the House Intelligence Committee, and industry groups such as the U.S. Chamber of Commerce, the nation’s largest business-lobbying organization, have criticized the Senate measure because it mandates security requirements instead of encouraging voluntary sharing of information.
Rogers introduced House legislation providing legal authority for the government and companies to share cybersecurity information voluntarily. The House Intelligence Committee approved the bill Dec. 1. No date has been set for bringing it to the House floor.
The Rogers bill is H.R. 3523. The Senate bill is S. 2501.