The recent flood of stories on attacks against the electrical grid, various government agencies and other portions of the critical infrastructure has renewed the calls for improvements in federal cybersecurity and, especially, information sharing between the government and the private sector on attacks and vulnerabilities. Some of this has been going on behind the scenes in Washington for a long time in an ad hoc fashion, but it appears it’s been getting more organized of late.
A story in the National Journal details a secret program through which the Department of Defense and some of its largest contractors have been sharing data on network scans, attacks and vulnerabilities for more than a year.
The new intelligence partnership, which has not been previously reported, is known as the Defense Industrial Base initiative, or “the DIB.” The department formally launched the program in September 2007, but it took a year to work out a legal arrangement by which the contractors and the government could confidentially share information. In mid-2008, the effort ramped up after what was described as a hair-raising meeting in a secured facility at the Pentagon in which officials gave temporary security clearances to chief executives from the biggest defense firms and delivered a no-holds-barred briefing on the range of successful cyberattacks launched against the government and their companies. The executives “went in with dark hair and came out with white hair,” said James Lewis, a prominent cyber-security expert and a fellow at the Center for Strategic and International Studies, who is familiar with the meeting. “I think that was a shocker for most people.”
This is exactly the kind of partnership that that should be in place in other sectors. Defense is the right place to start and it’s very encouraging to see this happening in such an organized way. Of course, the key is what’s being done with the intelligence that’s being shared. The department and the contractors are using the data to improve their own defenses and incident handling.
But, ideally that data should be sanitized and shared with a wider set of organizations in order to maximize the benefit. Many of the same vulnerabilities that are present in government and contractor networks affect installations in other industries, and any data on exploits being used against those weaknesses could be very useful to security teams in those organizations. This happens in limited ways through the ISACs, but it needs to be expanded as broadly as possible.
There are some indications that the Obama administration will be encouraging more of this kind of information sharing in the coming years, and it can’t come soon enough.