Pentagon says cyber-threat sharing may reach 1,000 contractors

The Pentagon predicts as many as 1,000 defense contractors may join a voluntary effort to share classified information on cyber threats under an expansion of a first initiative to protect computer networks.

After a four-year pilot program involving 36 contractors and three of the biggest U.S. Internet providers, the Obama administration approved a rule letting the Pentagon enlist all contractors and Internet providers with security clearances in the information exchange, according to Eric Rosenbach, deputy assistant secretary of defense for cyber policy.

“This is an important milestone in voluntary information- sharing between government and industry,” Rosenbach said in an interview yesterday at the Pentagon. Richard Hale, the Pentagon’s deputy chief information officer for cybersecurity, said that 1,000 companies may participate.

If the Pentagon’s effort proves successful in safeguarding defense contractors from cyber attacks, the administration may enlarge the program to companies in 15 other critical infrastructure categories through the Department of Homeland Security, Rosenbach said.

Cyber threats facing the U.S. defense industry and its “unclassified information systems represent an unacceptable risk of compromise of DoD information and pose an imminent threat to U.S. national security and economic security interests,” according to the federal rule authorizing the expanded Department of Defense program.

Secure portal

Using a secure portal called DIBnet, the Pentagon will provide both classified and unclassified information on cybersecurity threats and defenses against them to companies that have security clearances and agree to participate, according to Rosenbach and Hale said.

“You are using special intelligence information derived somewhere else in the world to put into” cybersecurity, Rosenbach said in the interview. “So it is more active than simply waiting for an attack to come.”

Internet providers such as Verizon Communications Inc. and defense contractors including Lockheed Martin Corp. have said they participated in the pilot program and intended to continue in an expanded effort.

“We might share with the companies what kind of cyber attack trends we are seeing inside DoD — if a particular kind of phishing attack, for instance, has become more prevalent,” Hale said.

Participants may also elect to join a “enhanced effort” under which the Defense Department will provide fixes for each type of threat to Internet providers and other eligible companies that in turn will screen the network traffic flowing to contractors, Rosenbach said.

Cybersecurity services

Lockheed, based in Bethesda, Maryland, and New York-based Verizon have said they would take the Pentagon-provided information and offer a package of cybersecurity services for a fee to other contractors. The companies have said they are working to determine how much customers would have to pay for such services that draw on the U.S. intelligence.

Booz Allen Hamilton Holding Corp. and SAIC Inc., both based in McLean, Virginia, and Computer Sciences Corp., based in Falls Church, Virginia, participated in developing and running the cyber information-sharing program, according to Jason Wilson, an analyst with Bloomberg Government. In addition to Verizon, Internet-providers AT&T Inc. and CenturyLink Inc., joined the pilot program.

Companies that choose not to participate won’t be penalized when bidding for defense contracts, Hale said. U.S. subsidiaries of foreign-owned contractors must have a security clearance to participate in the program, he said.