U.S. eyes broader cyber-threat pact with companies


The U.S. government is close to completing rules for a long-awaited expansion of the number of defence contractors with which it swaps data on cyber threats, said the Defence Department’s chief information officer.

The number of companies would jump from 37 currently to 200, Teri Takai, the chief information officer, told a forum in Arlington, Virginia.

Takai said she hoped that a federal rule-making process under way would wrap up within the next 60 days amid what she and other Pentagon officials describe as mounting cyber threats to U.S. high-tech companies, Reuters reports.

The companies will have to agree on a protocol for information-sharing among themselves and with the Defence Department, which will act as coordinator for the Defence Industrial Base Cyber Security and Information Assurance program.

There was a “waiting list” of those keen to join, Takai told the forum organized by Representative Jim Moran, a Democrat whose Virginia district is home to many information-technology and defence contractors.

The cyber threat to U.S. aerospace, defence and other high-technology companies “is increasing at a rapid and accelerating rate,” Rear Admiral Samuel Cox, director of intelligence for the military’s Cyber Command, told the session.

The Office of the National Counter Intelligence Executive, a U.S. intelligence arm, said in an unclassified report to Congress in October that China and Russia were in the forefront of keyboard-launched theft of U.S. trade and technology secrets to bolster their fortunes at U.S. expense.

Cox, replying to a question from Reuters after the event, said that the “amount of cyber exploitation by China continues to increase significantly” with what he suggested was the approval of the authorities in Beijing.

As the Defence Department has become better at defending its own classified and unclassified networks, Cox said, adversaries tend to go after “softer targets” such as defence contractors and other private vendors.
“And they’re having significant success in that regard,” he said.

Expansion of the program, which began in 2007, would let the Defence Department, including the communications-intercepting National Security Agency, share more sensitive data with private companies to counter the threat and get valuable information from the companies.

The initial effort provided for sharing of cyber threat-related intelligence only up to the “secret” level. Last year, the Defence Department added more sensitive classified information to the pilot group while working out procedures and a legal framework for a broader base.

Takai told reporters that the program eventually could be expanded to all the Pentagon’s suppliers who qualify under the rules. She said the companies would receive information on threats and solutions applied to thwart them.

Andy Purdy, chief cyber strategist at CSC, a major information technology supplier, said the program might eventually bring together as many as 2,000 U.S. companies in a public-private partnership, including some running crucial infrastructure.

President Barack Obama has requested $3.4 billion in his fiscal 2013 budget to boost the Defence Department’s cyber defences. Congress is likely to provide all of this “because this is going to have to be our highest priority,” Moran told the forum.

Separately, the Department of Homeland Security is working with the Defence Department on what is now known as the Joint Cybersecurity Services Pilot program, formerly the Defence Industrial Base pilot.
“No decision has been made on whether, when, or how to expand the coverage of the JCSP beyond the current participants,” a Homeland Security official said.

That program involves sharing sensitive threat-related information with unspecified Internet service providers who then relay it to the companies involved in the pilot. Its expansion also hinges on completion of the federal rule-making process, Takai said.