YOKOTA AIR BASE, Japan — The Defense Department has ratcheted up pressure on the nation’s biggest defense contractors to better safeguard their computer networks — and the sensitive military information they contain.
A proposed DOD policy that would require contractors to implement a standard set of cybersecurity safeguarding and reporting measures for unclassified information is expected to be released in a report Wednesday. The Pentagon already has a similar plan for classified information in the works with the Defense Industrial Base Collaborative Information Sharing Environment program.
Still considered a pilot program after three years, the plan calls for companies and the Defense Department to share information about security breaches and how to fix them, said Jim Christy, director of futures exploration at the DOD Cyber Crime Center.
Currently, only the top 30 or so defense contractors are part of the program, he said, but the goal is to the expand it to many, if not all, of the 8,700 companies that do business with the military.
“It’s in everybody’s best interest to do this,” he said. “It’s not mandatory, but it’s coming.”
Last year, senior DOD officials “read the riot act” to top defense executives, telling them to step up cybersecurity at their companies or risk losing business with the military, said Herb Lin, chief scientist with the Computer Science and Telecommunications Board at the National Academies.
Private companies working for the military are hacker targets, experts said, not only for the data they hold — from classified plans for weapons systems to unclassified information about other military infrastructure — but also because they could be used as digital backdoors to the military networks with which they share data.
The DOD Cyber Crime Center found that between August 2007 and August 2009, 71 contractors, government agencies, universities and think tanks affiliated with the military had been hacked, according to a February article in Forbes. Military officials would not disclose the nature of the incidents or whether they appear to be state-sponsored occurrences, the news organization reported.
Some contractors are doing better than others to shore up their systems against cyberattacks, said Alan Paller with SANS Institute, a nonprofit cybersecurity training and research outfit in Bethesda, Md., whose clients include the FBI and CIA. But efforts will remain piecemeal at best until the DOD mandates a change, he said.
Until then, security improvements are subject to negotiation between the military and its contractors, Lin said, and those compromises “could put national security at risk.”
For now, cyberthreats to defense contractors appear to be focused around spying on the companies not necessarily attacking them, experts have said. But, Lin warned, the same malicious programs used to infiltrate DOD-affiliated networks could be used to launch full-scale offensives that could disrupt, corrupt or take control of the computerized systems that power everything from the military’s global communications to the way its weapons are deployed.
A similar attack is thought to be playing out at an Iranian nuclear power plant, where a sophisticated computer worm known as Stuxnet has penetrated the facility’s industrial controls, according to various media reports in and outside of Iran. Stuxnet is now considered the first large-scale cyberattack on civilian infrastructure.
Computer security giant Symantec — which has been the leading source of public information regarding Stuxnet — has shared private information about the cyberworm with U.S. law enforcement, intelligence and military agencies, said Liam Murchu, manager of operations at Symantec Security Response.
“Something like Stuxnet could possibly affect national security,” he said.