Govt. Plan: Threat Package for Sale

Friday, January 18, 2013 @ 10:01 AM gHale

Lockheed Martin Corp., AT&T Inc., and CenturyLink Inc., are the first companies to sign up for a U.S. program giving them classified information on cyber threats they can package as security services for sale to other companies.

The Pentagon provides the classified threat signatures to the Department of Homeland Security (DHS), which in turn provides them to companies approved to receive such information, said Eric Rosenbach, the deputy assistant secretary of defense for cyber policy. More companies are looking to participate in the program, he said.

Fed Act: Report Attacks
Attack Growth Next Year
New Year Threat Forecast
Agencies Join in Security Plan

“The vision is we take something unique that isn’t available in the public domain and give it to the private sector and rely on their ability to innovate, push and market,” said Rosenbach, who previously was a national security adviser to former Senator Chuck Hagel, President Barack Obama’s choice to be the next defense secretary.

The move to create a market based on classified U.S. information about cyber threats follows the failure by Congress in November to pass legislation that would have required companies operating critical infrastructure, such as electrical grids or telecommunications networks, to adopt voluntary security standards. The U.S. Chamber of Commerce opposed the measure saying the proposed standards might transform into burdensome regulations.

The program to share classified information, called Defense Industrial Base Enhanced Cybersecurity Services, will help U.S. companies get protection that’s not been available in the commercial market, said Alan Paller, director of research at the SANS Institute, a computer-security training company based in Bethesda, MD.

A cyber intrusion-prevention service built on U.S. classified information “will absolutely protect companies against things they wouldn’t have been protected against,” Paller said.

Only the Pentagon has “very deep access to people who have been attacked and deep technical skills to analyze” such attacks and develop signatures, or unique characteristics, of a cyber assault, Paller said.

The Pentagon may learn about a particular type of cyber attack on a power company and glean its telltale signs, Paller said. “But how does the government let power companies know” they’re vulnerable? Paller asked. Letting a group of companies with security clearances take that information and sell it to others is “a really good idea, it’s the right way to do it.”

Pentagon officials hope the model will expand beyond critical infrastructure such as power plants to others, said Richard Hale, the Defense Department’s deputy chief information officer.

“The idea was if the government knew something, figure out a way to share it in a way that kept it private but still allowed the protection benefits to flow from that,” Hale said.

Potential customers for the cyber-threat service must garner Pentagon approval.

The program to share classified information with defense contractors and Internet service providers for resale grew out of an experiment that began four years ago, when the Pentagon and a group of U.S. defense contractors started sharing unclassified information on data loss and securing company computer networks, Hale said.

That initiative, which began with 36 defense contractors now has 71 companies with an additional 22 waiting to join, Hale said.

One Response to “Govt. Plan: Threat Package for Sale”

  1. […] ISS Source reports that Lockheed Martin, AT&T and Century Link are the first companies to sign up for a US Government program to provide classified threat signatures to private industry. […]

Leave a Reply

You must be logged in to post a comment.