[Infowarrior] - The Cyber Defense Perimeter

[Richard Forno]

The Cyber Defense Perimeter
Defense contractors are receiving classified information on hacker  
threats to their computers.

by Shane Harris

Saturday, May 2, 2009

http://www.nationaljournal.com/njmagazine/id_20090502_5834.php

In response to an unprecedented wave of attacks on the Defense  
Department's computer networks, and possible theft of information  
about U.S. weapons systems by foreign governments, the Pentagon has  
quietly begun sharing classified intelligence about hackers and online  
threats with the country's biggest defense contractors. The  
intelligence-sharing program began almost two years ago, after top  
Pentagon leaders realized that hackers were trying to steal  
information not just by breaking into government computers but also by  
going after corporations that contract with the government. These  
private computers and networks often contain the same sensitive and  
classified information found in the government's systems.

The new intelligence partnership, which has not been previously  
reported, is known as the Defense Industrial Base initiative, or "the  
DIB." The department formally launched the program in September 2007,  
but it took a year to work out a legal arrangement by which the  
contractors and the government could confidentially share information.  
In mid-2008, the effort ramped up after what was described as a hair- 
raising meeting in a secured facility at the Pentagon in which  
officials gave temporary security clearances to chief executives from  
the biggest defense firms and delivered a no-holds-barred briefing on  
the range of successful cyberattacks launched against the government  
and their companies. The executives "went in with dark hair and came  
out with white hair," said James Lewis, a prominent cyber-security  
expert and a fellow at the Center for Strategic and International  
Studies, who is familiar with the meeting. "I think that was a shocker  
for most people."

Weaknesses in corporate defenses can threaten top government secrets.  
Last month, The Wall Street Journal reported that cyber-spies targeted  
companies helping to build the Joint Strike Fighter and stole design  
information that could make it easier for adversaries to defend  
against the airplane. The paper reported that the breaches began as  
early as 2007 and perhaps continued into 2008, a period that generally  
coincides with the intelligence-sharing program's start-up.

Since then, Pentagon leaders have met with "the highest levels of all  
the different companies" in the defense industrial base, a senior  
Defense official told National Journal. Former Deputy Defense  
Secretary Gordon England "took this as a top priority, and he made  
sure that we got the highest levels of all the companies aware of the  
cyber-threat and the whole circumstances around it," said Robert  
Lentz, the deputy assistant Defense secretary who oversees the  
intelligence-sharing partnership.

According to a dozen industry and government officials interviewed by  
NJ, the pilot DIB has been running largely unnoticed. It is restricted  
to companies in the defense sector. But the White House has received a  
proposal to expand the program to other economic sectors that are at  
risk of cyberattack, such as the electrical power and financial  
services industries. In written recommendations to Melissa Hathaway,  
President Obama's cyber-security adviser, the Intelligence and  
National Security Alliance, a nonpartisan association of intelligence  
professionals, called the Pentagon's program a "fledgling effort" that  
"should be fully supported." The group's former chairman, John  
Brennan, is Obama's top counter-terrorism and homeland-security adviser.

The Pentagon is working with the Homeland Security Department to  
broaden the model for other vital infrastructure sectors, Lentz said.

The program has worked out a consistent, if not real-time, process for  
sharing cyber-intelligence. Every two weeks, the Defense Department  
briefs the 30 companies participating in the DIB on potential  
vulnerabilities in computer networks, as well as on specific threats  
that the government has found in the course of its regular scouting in  
cyberspace. Experts cull the data from a number of intelligence and  
military organizations, Lentz said, including the Joint Task Force- 
Global Network Operations, which is responsible for protecting  
military computer networks, and the National Security Agency's Threat  
Operations Center, which monitors global communications networks for  
threats to defense and intelligence agencies.

The information comes in two forms, Lentz said: an unclassified report  
that executives can share with the technicians who manage their  
networks, and a classified report of "contextual information" that the  
firms can use to protect themselves.

The Defense Department has a compelling interest in protecting the  
data on its contractors' systems. "This is DOD information that is at  
risk," Lentz said. The companies may own their networks, but the  
information traveling on them belongs to the government and is  
considered a vital national defense asset.

Lentz declined to specify what threats have turned up or what attacks  
have occurred. But he said that the senior-level attention at the  
Pentagon was triggered by a notable increase in attacks. "In the past  
18 months, we've seen a significant spike in cyber-criminal activity,"  
he said.

A significant portion of that activity appears to be cyber-espionage  
-- the theft of restricted information through the Internet. Senior  
defense and intelligence officials have been sounding the alarm for  
several months about -espionage by computers based in China. They've  
also singled out organized cyber-crime rings in Russia. In an  
interview with NJ last year, Joel Brenner, the nation's top counter- 
intelligence official, named both countries as major sources of  
sophisticated and relentless cyberattacks.

Corporations are reluctant to confirm that they are part of the DIB  
initiative, and Lentz wouldn't give any names. But sources familiar  
with the membership say that it includes the top tier of defense  
contractors, and that smaller companies are joining the group as well.  
Officials with Raytheon and Northrup Grumman confirmed that their  
companies are members.

It's not surprising that some contractors want to remain silent. Some  
executives fear that hackers will only try harder to breach their  
systems if they know that their networks contain information so  
valuable that the military and the intelligence community are helping  
to protect it, according to one industry official who works with the  
DIB. The program is not classified, but it has created a forum in  
which contractors feel safe enough to disclose weaknesses in their  
defenses without fear of inviting attack or drawing public attention.

Historically, corporate leaders have been loathe to share this kind of  
information with the government for fear of negative press, or because  
they think it will limit their opportunities to win future business.  
For nearly a decade, cyber-security experts have warned that the lack  
of consistent information-flow between government and industry has  
weakened overall security.

"This is all about trust," Lentz said of the DIB, "and all about a  
mutual understanding of the consequences of not taking immediate  
action to find out what's causing a particular event."

The program is not a one-way street. In addition to the regular threat  
reports that contractors receive from government, they are expected to  
report any intrusions into their systems within 72 hours of the event,  
Lentz said. That information goes to a Defense Department cyber- 
forensics team that specializes in tracing the source of an attack and  
learning how it was done. "When we determine that someone is trying to  
attack our networks ... we'll report that very quickly," said Steve  
Hawkins, vice president of information security solutions at Raytheon.  
"The government in turn can then provide that information out to the  
other partners."

Although participants say that the new partnership was not spawned by  
one particular incident, its birth closely followed a June 2007 attack  
on Pentagon computer systems that surprised senior officials for its  
breadth and severity.

As first reported in September 2007 by the Financial Times, the  
Chinese military hacked into a Pentagon computer network three months  
earlier, in what U.S. officials called "the most successful  
cyberattack on the U.S. Defense Department." The attack showed an  
alarming level of sophistication and precision. "China had shown it  
could disrupt systems at critical times," the newspaper reported.

In September 2007, Forbes reported, "the same spies may have been  
combing through the computer systems of major U.S. defense contractors  
for more than a year." That same month, the DIB initiative took shape.

The Defense Department was not reacting to an isolated event, Lentz  
emphasized. "We've been very much concerned about ... the breadth of  
the cyber-movement in terms of their aggressiveness, their skills  
sets," he said, calling cyberspace "increasingly volatile"

Lewis of CSIS, who directed a comprehensive cyber-security study for  
the Obama administration, agreed that the threat was, and is,  
pervasive and persistent. "It wasn't that we got wacked by a two-by- 
four; we were getting wacked by a two-by-four every week."