The US Defense Department invited all of its eligible contractors on Friday to join a previously restricted information-sharing pact aimed at guarding sensitive Pentagon program data stored on private computer networks.
The Pentagon predicts that as many as 1,000 defense contractors may join a voluntary effort to share classified information on cyber threats under an expansion of a first-ever initiative to protect computer networks.
The effort, known as the Defense Industrial Base ("DIB") program, is a voluntary information-sharing program in which the Department of Defense shares "unclassified indicators and related, classified contextual information" about cyber-attacks and threats with defense contractors.
In exchange, defense contractors report known intrusions and can receive forensics analysis and damage assessments from the government after those attacks. In an optional part of the program, the DIB Enhanced Cybersecurity Services, the government shares additional classified threat and technical data with defense contractors and Internet service providers.
If the Pentagon’s effort proves successful in safeguarding defense contractors from cyber attacks, the administration may enlarge the program to companies in 15 other critical infrastructure categories through the Department of Homeland Security.
More than 2,000 companies qualify and the membership rolls will be expanded on a first-come, first-served basis, the official said.At the program's entry level, the Pentagon will give participants unclassified "indicators" and classified "contextual information," as well as suggested measures for addressing cyber threats.
Volunteer companies must sign a standardized bilateral framework pact that calls for sharing "to the greatest extent possible" for the clearest understanding of cyber threats, according to an interim final rule published Friday in the Federal Register.
Recently, the security of critical infrastructure companies was put into the spotlight again when reports surfaced about a series of cyber attacks targeting the natural gas industry.
“The increasing connectedness of infrastructure not only makes U.S. utility companies more vulnerable to cyber-security attacks but increases the cascading effect an attack can have on other infrastructure sectors and capabilities,” said Chris Petersen, CTO of LogRhythm.
“A fundamental challenge utilities face is that supervisory control and data acquisition (SCADA) systems were not designed to be secure. Much of the existing infrastructure was developed and implemented prior to the rise of the Internet. Security was most often thought of in the physical sense.”