[Infowarrior] - DOD, Industry Join to Protect Data

Richard Forno rforno at infowarrior.org
Mon May 25 19:04:17 UTC 2009 

Defense Dept., Industry Join to Protect Data

By Ellen Nakashima
Washington Post Staff Writer
Monday, May 25, 2009

http://www.washingtonpost.com/wp-dyn/content/article/2009/05/24/AR2009052402140_pf.html

LINTHICUM, Md. -- At 2:42 p.m. one recent Wednesday, on the fourth  
floor of a squat brick office building under the flight path of jets  
landing at Baltimore-Washington International Marshall Airport, a  
Pentagon analyst skilled in parsing malicious computer code e-mailed a  
threat alert to 28 of the nation's largest defense contractors.

That morning, a defense company had told the Defense Department Cyber  
Crime Center about a significant probe of its computer network. The  
Pentagon analysts determined the code was present in several  
companies' networks and raised the alarm.

This information exchange took place, government and industry  
officials said, because the companies and the Pentagon have begun to  
trust one another. They are joining forces to stem the loss of  
important defense industry data -- by some estimates at least $100  
billion worth in the past two years, reflecting the cost to produce  
the data and its value to adversaries.

For two years, the Defense Department has been collaborating with  
industry to try to better protect the firms' computer networks. Now,  
as the Obama administration ponders how to strengthen the nation's  
defenses against cyberattacks, it is considering ways to share the  
Pentagon's threat data with other critical industries, such as those  
that handle vastly larger amounts of data, including phone calls and  
private e-mails. The threat scenarios, experts say, are chilling: a  
months-long blackout of much of the United States, wide-scale  
corruption of electronic banking data, a disabling of the air traffic  
control system.

The Pentagon's trial program with industry illuminates the promise and  
the pitfalls of such partnerships. The goal is a swifter, more  
coordinated response to threats facing the defense industry. But  
intelligence and law enforcement agencies have been reluctant to  
release threat data they consider classified. And the companies have  
been reluctant to share intrusion data, for fear of losing control  
over personal or proprietary information.

"This isn't just about national security. It's about the economic well- 
being of the United States. It's that fine line of ensuring that you  
have security without unnecessarily compromising privacy," said  
Barbara Fast, vice president of Boeing Cyber Solutions.

The pilot program has prompted the Department of Homeland Security to  
consider extending the model to other industries, officials said. And  
the Defense Department is in preliminary talks with telecommunications  
and Internet service providers about creating a similar partnership,  
industry officials say.

The Defense Department's Cyber Crime Center, whose 277 employees are  
mostly contractors, is a clearinghouse for threat data from the  
National Security Agency, military agencies, the DHS and industry.  
Some alerts go out quickly, such those flagging the "Internet  
protocol" address of a potential hacker.

Other reports based on classified data take on average three weeks to  
compile. They tell a company who might be behind an attack and what  
the attacker's tactics are, such as infected e-mail. One reason  
vetting such material takes time is that sources must approve  
dissemination of the information to ensure that disclosure will not  
jeopardize an investigation.

"Clearly this needs to be a lot quicker than it is today," Boeing's  
Fast said in an interview last month.

Several firms said they share with the Cyber Crime Center technical  
information about viruses and suspicious probes that they feel can  
help the industry broadly. But Northrop Grumman, for instance,  
generally reports breaches to the military branch that owns the  
contract, company officials said, and the branch decides whether it  
should be reported elsewhere.

"There is this natural inclination to not highlight that you've had a  
problem, an incursion into your system," said Ellen E. McCarthy,  
president of the Intelligence and National Security Alliance, which  
includes the defense industry. "It highlights to your customers, to  
your board of directors, that you've had a problem."

Though Lockheed Martin's agreement allows the firm to send samples of  
breach data to the crime center, the firm prefers to do its own  
intrusion investigations, said Mike Gordon, senior manager of  
Lockheed's Computer Incident Response Team. "We've got the most  
talented team, the most advanced technologies," he said during an  
interview at the firm's Security Intelligence Center in Gaithersburg.

At the touch of a button, a wood-paneled wall slid up and revealed an  
operations center -- barely a year old -- with 24 workstations, 15  
analysts scrutinizing code on their monitors, a wall of giant video  
screens showing network traffic, and a map of the firm's global  
Internet links. Each day, 4 million e-mails enter Lockheed's networks,  
and analysts monitor hundreds of millions of actions, including clicks  
on the company Web site, for suspicious activity.

In 2006, Lockheed officials contacted government investigators about a  
suspicious intrusion into an unclassified network that handles data on  
the F-35 Joint Strike Fighter. The Wall Street Journal reported about  
that incident last month.

Senior Air Force officials became concerned that other systems were  
vulnerable and directed that the breach investigation be broadened to  
include the F-22 fighter program, although no evidence was found that  
F-22 data had been stolen, according to sources who spoke on the  
condition of anonymity because of the matter's sensitivity.

Both jets rely on computer networks for operation and maintenance,  
which makes them vulnerable to hacking that can affect flight  
operations. Gaining access to unclassified data about design and  
maintenance can allow an adversary to more easily design  
countermeasures, the sources said.

In early 2007, the Air Force launched a partnership with about a dozen  
companies that work on the F-35 and F-22, and that served as the  
nucleus for the broader partnership. In August 2007, Deputy Defense  
Secretary Gordon England gathered the top executives of major  
contractors for a classified briefing.

"We shared with them the fact that we've got a very, very aggressive  
cyber threat," said Robert Lentz, a Pentagon official who heads the  
partnership. The Pentagon soon will seek to amend defense acquisition  
rules to require cybersecurity standards for firms seeking contracts.  
"The sooner we all understand what's required to protect the  
information in our networks, and we teach this in universities and in  
businesses, the better off we all will be, down to the Internet user  
at home," Lentz said.

More information about the Infowarrior mailing list