Sometimes a key piece of information slips by in a press release without anyone realizing its significance. A release issued at the recent RSA security conference ended up disclosing a major data security program that is vital to national security.
The release was to announce Robert Lentz, a Deputy Assistant Secretary of Defense for Information and Identity Assurance (I&IA) at the Department of Defense (DoD), had been presented with an award for “excellence in the field of security practices.” Buried at the bottom was this tidbit:
“Lentz is … recognized for implementing a revolutionary risk-management based information system certification and accreditation program known as the Defense Information Assurance Certification & Accreditation Program. He launched the Defense Industrial Base (DIB) Cyber Security effort with top DIB CEO’s to develop information-sharing mechanisms, began the DoD’s first Defense Venture Capital Initiative and developed the DoD International Information Assurance Program, which forges partnerships with allies, NATO and other collective security organizations to enhance cyber situational awareness and protect U.S. information on foreign information systems.”
So how many of you have heard of the Defense Industrial Base? That’s because you weren’t supposed to.
The Defense Industrial Base (DIB) Cyber Security effort dates back at least as far as August 15, 2008, when a report entitled “U.S. Army’s Concerns with Protection of Controlled Unclassified Information” described the problem.
“Digitalization of information has introduced greater risk of compromise of DIB-held Department of Defense (DoD) controlled unclassified information that is used in the development of Warfighting systems during the acquisition lifecycle. Simply stated, hostile actors can exfiltrate large volumes of unclassified program information in a single attack that can potentially net enough information to enable adversaries to narrow a capability gap.”
The report said that data had already been lost, something the DoD and Lockheed Martin both denied last week. “Exfiltrations of unclassified data from DIB unclassified systems have occurred and continue to occur, potentially undermining or even neutralizing the technological advantage and combat effectiveness of the future force.”
The report recommended spending a little over $7 million on the program during the period from 2010 to 2015 to “oversee program protection and risk management planning with the U.S. Army.”
The program has been needed for some time. “I’ve been beating this drum for ten years,” Michael Marculec, COO of Internet monitoring company Lumeta, told InternetNews.com.
Late last year, in an op-ed in The New York Times he called for the appointment of a Chief Security Officer who would supplement President Obama’s CTO by focusing on cyber security.
Instead, the president ordered a national cybersecurity review, which is overdue but will call for significant change, Melissa Hathaway, in charge of the review, revealed at RSA.
The DIB need not be overly complex. The Internet industry already has a mechanism for distributing vulnerability data in the form of the U.S. Computer Emergency Readiness Team (US CERT).
Other security risks are monitored through programs created by the National Infrastructure Protection Plan (NIPP).
But US CERT focuses on attacks that reach a large amount of the population and the defense program is targeted by the most sophisticated, focused attacks.
“The DoD is the leading edge. They get the attacks first,” said Marculec.
“It then tends to move to financial institutions and then into regular companies. The tail end of this is industrial control systems. They’re still dealing with Code Red. They may still be running Windows Server 2000.”
The good news is that the government has started talking to businesses.
“The framework is now in place,” said Marculec. “Maybe they are not completely set up to do so, but agencies have indicated a basic willingness to start to share information.”
The DIB Cyber Security effort represents a change from the past. “Current program protection efforts largely focus on mitigating risks of compromise to Warfighting technologies as a result of traditional espionage or industrial theft,” noted the report written only nine months ago.