Cybersecurity

DOD info-sharing program to expand under order

computer and network

In the days since President Barack Obama released his executive order on cybersecurity, active discussion of the measure's moving parts, implementation and potential impact has been unfolding. One area central to the order -- and to federal cybersecurity in general -- is information sharing among government, industry and other stakeholders.

Information sharing is explicitly targeted in the executive order, particularly through the mandated expansion of the Enhanced Cybersecurity Services program. When it was launched in 2011 as the Defense Industrial Base Cyber Pilot, the effort involved fewer than a dozen defense contractors testing ways for the government to share attack signatures for identifying threats to defense contractors’ networks.

The cyber pilot later expanded to include more companies, and in 2012, the Department of Homeland Security assumed an active role in the program and took over essential communications with Internet service providers.

Now the program is being enlarged to a governmentwide initiative that seeks to better secure the networks of agencies and private companies, including those that manage critical infrastructure, against cyber-borne threats.

"The initial impetus in the DIB Cyber Pilot was a proof of concept," said William Lynn, former deputy secretary of defense and now CEO of DRS Technologies. "It was to show there could be a public/private partnership and that we could get through the policy and legal thickets to allow this information sharing. We wanted to prove the construct could work and could be applied to a much broader set of government agencies and, in some cases, smaller organizations with less capable cyber defenses. The use of the example by the president in his executive order shows that it was a success."

The original pilot program focused on government agencies within the Defense Department and the intelligence community sharing known threat signatures with participating companies. The companies could then use that information to look for malicious activity on their own networks. The program was criticized -- most notably in a Washington Post report -- for relying too heavily on signature-based defenses, which can be of limited effectiveness and are only one of many tools that should be used.

"The government signatures that were provided added some to companies' defenses," Lynn said. "It wasn’t as big of a game-changer for some of the larger companies, which had cyber capabilities of their own, as it might have been for smaller companies with less capable defenses. And that's where it's being expanded to and where the president's executive order is taking it."

Nevertheless, because it lacks the power to create new regulations or change existing laws, many experts say the executive order will not lead to sweeping cybersecurity action.

Lynn, who helped launch the cyber pilot program and DOD's 2011 Strategy for Operating in Cyberspace, is quick to note that neither the information-sharing effort nor the executive order will be enough to comprehensively tackle cybersecurity at the federal level. Top government officials, including Lynn and Obama, have repeatedly called on Congress to enact thorough cybersecurity legislation that can go further than an executive order.

"The EO deals a lot of with government-to-private-sector sharing because that's what the president can direct in an EO," said Michael Daniel, White House cybersecurity coordinator. "That doesn't mean we don't think that enabling properly protected...information coming back to the government is important. That's very important. Perhaps equally important is making sure the statutory framework enables, rather than restricts, private-to-private information sharing."

Current laws do not always ensure information sharing because some companies fear revealing their vulnerabilities to government agencies that could take legal action against them, and private organizations are often unwilling or unable to share proprietary information with one another.

In a Feb. 14 blog post, the Heritage Foundation's Paul Rosenzweig and David Inserra noted that the executive order cannot overcome those limitations.

"While the EO does take some positive steps in the area of information sharing, these steps are hamstrung by the EO's inability to provide critical incentives such as liability protection," they wrote. "The problem is that the EO cannot provide these important protections. They can be created only by Congress. As a result, many businesses will be reluctant to share their information for fear that their proprietary information could be endangered by a [Freedom of Information Act] request or that an honest mistake might lead to a lawsuit being filed against them."

Lawmakers failed to pass cybersecurity legislation last year, but they are expected to take it up again in the coming months. House members have already reintroduced the Cyber Intelligence Sharing and Protection Act, one of the proposed measures that did not succeed last year, and Senate Democrats have announced plans to revive other legislative efforts.

According to Lynn, it cannot happen soon enough. He said one of his top concerns is seeing the government respond to the rapidly evolving cyber threats the country faces.

"The issue is whether we're moving fast enough," he said. "Clearly, the threat is moving up a scale, from disruptive to destructive attacks. The kinds of actors we see mounting those attacks are becoming increasingly malicious, moving from nation states to rogue states to terrorist groups. We need to move quickly. Congress missed the opportunity to act last year; we can't afford for them to miss the opportunity this year."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group