DOD info-sharing program to expand under order

computer and network

In the days since President Barack Obama released his executive order on cybersecurity, active discussion of the measure's moving parts, implementation and potential impact has been unfolding. One area central to the order -- and to federal cybersecurity in general -- is information sharing among government, industry and other stakeholders.

Information sharing is explicitly targeted in the executive order, particularly through the mandated expansion of the Enhanced Cybersecurity Services program. When it was launched in 2011 as the Defense Industrial Base Cyber Pilot, the effort involved fewer than a dozen defense contractors testing ways for the government to share attack signatures for identifying threats to defense contractors’ networks.

The cyber pilot later expanded to include more companies, and in 2012, the Department of Homeland Security assumed an active role in the program and took over essential communications with Internet service providers.

Now the program is being enlarged to a governmentwide initiative that seeks to better secure the networks of agencies and private companies, including those that manage critical infrastructure, against cyber-borne threats.

"The initial impetus in the DIB Cyber Pilot was a proof of concept," said William Lynn, former deputy secretary of defense and now CEO of DRS Technologies. "It was to show there could be a public/private partnership and that we could get through the policy and legal thickets to allow this information sharing. We wanted to prove the construct could work and could be applied to a much broader set of government agencies and, in some cases, smaller organizations with less capable cyber defenses. The use of the example by the president in his executive order shows that it was a success."

The original pilot program focused on government agencies within the Defense Department and the intelligence community sharing known threat signatures with participating companies. The companies could then use that information to look for malicious activity on their own networks. The program was criticized -- most notably in a Washington Post report -- for relying too heavily on signature-based defenses, which can be of limited effectiveness and are only one of many tools that should be used.

"The government signatures that were provided added some to companies' defenses," Lynn said. "It wasn’t as big of a game-changer for some of the larger companies, which had cyber capabilities of their own, as it might have been for smaller companies with less capable defenses. And that's where it's being expanded to and where the president's executive order is taking it."

Nevertheless, because it lacks the power to create new regulations or change existing laws, many experts say the executive order will not lead to sweeping cybersecurity action.

Lynn, who helped launch the cyber pilot program and DOD's 2011 Strategy for Operating in Cyberspace, is quick to note that neither the information-sharing effort nor the executive order will be enough to comprehensively tackle cybersecurity at the federal level. Top government officials, including Lynn and Obama, have repeatedly called on Congress to enact thorough cybersecurity legislation that can go further than an executive order.

"The EO deals a lot of with government-to-private-sector sharing because that's what the president can direct in an EO," said Michael Daniel, White House cybersecurity coordinator. "That doesn't mean we don't think that enabling properly protected...information coming back to the government is important. That's very important. Perhaps equally important is making sure the statutory framework enables, rather than restricts, private-to-private information sharing."

Current laws do not always ensure information sharing because some companies fear revealing their vulnerabilities to government agencies that could take legal action against them, and private organizations are often unwilling or unable to share proprietary information with one another.

In a Feb. 14 blog post, the Heritage Foundation's Paul Rosenzweig and David Inserra noted that the executive order cannot overcome those limitations.

"While the EO does take some positive steps in the area of information sharing, these steps are hamstrung by the EO's inability to provide critical incentives such as liability protection," they wrote. "The problem is that the EO cannot provide these important protections. They can be created only by Congress. As a result, many businesses will be reluctant to share their information for fear that their proprietary information could be endangered by a [Freedom of Information Act] request or that an honest mistake might lead to a lawsuit being filed against them."

Lawmakers failed to pass cybersecurity legislation last year, but they are expected to take it up again in the coming months. House members have already reintroduced the Cyber Intelligence Sharing and Protection Act, one of the proposed measures that did not succeed last year, and Senate Democrats have announced plans to revive other legislative efforts.

According to Lynn, it cannot happen soon enough. He said one of his top concerns is seeing the government respond to the rapidly evolving cyber threats the country faces.

"The issue is whether we're moving fast enough," he said. "Clearly, the threat is moving up a scale, from disruptive to destructive attacks. The kinds of actors we see mounting those attacks are becoming increasingly malicious, moving from nation states to rogue states to terrorist groups. We need to move quickly. Congress missed the opportunity to act last year; we can't afford for them to miss the opportunity this year."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group