DoD Taps New Leader for Info Sharing ProgramGetting More of Defense Industrial Base to Share Cyberthreat Data
As the Defense Department prepares to require military contractors to participate in what's now a voluntary cyberthreat information sharing program, DoD is bringing in an IBM executive to help manage the initiative.
Defense Secretary Chuck Hagel named Daniel Prieto to be the first director of cybersecurity and technology in DoD's Office of the Chief Information Officer. Prieto, who served as vice president of IBM's public sector global business services, is charged with improving and growing the information sharing program between the federal government and defense contractors, known as the Defense Industrial Base, or DIB, before the initiative becomes mandatory.
"Dan's ability to navigate industry relationships will strengthen the DIBs," DoD Deputy CIO Robert Carey says.
Prieto will manage the DIB cybersecurity/information assurance program as well as its optional DIB Enhanced Cybersecurity Services component, known as DECS, which is jointly run with the Department of Homeland Security. DHS oversees existing and planned government-industry cyberthreat information sharing programs.
"Prieto will be charged with improving and growing the voluntary information sharing program between the government and the private sector DIB companies, which is designed to improve DIB network defenses and helps DIB companies and the government to reduce damage to critical programs when defense information is compromised," Defense Department spokesman Lt. Col Damien Pickart says.
Carey says Prieto is joining a program that's running smoothly. "His job is to give it a little bit of acceleration, engage industry counterparts, talk about what's next, talk about what's feasible and press them for the [forthcoming] more mandatory nature for this reporting and this exchange, which is where we are headed through contracts," he says.
Transitioning to Required Report
The voluntary participation with the DIB program will soon end as the Defense Department will require its contractors to share cyberthreat information. Carey says DoD has been working on changing the Defense Federal Acquisition Regulations for the past half-decade to require participation by defense contractors.
"That's a long processes but one that's ready to pop in the next six months," Carey says. "So, new contracts written after a certain amount of time will have a clause that says, 'Oh, by the way, you will do this, not only if you want to,' which is where we really need to go."
Since May 2012, when DoD published the interim federal rule opening the DIB cybersecurity/information assurance program to all eligible DIB companies, the program has expanded from 34 to more than 90 participants.
That voluntary DIB program is seen as a model for initiatives the Obama administration is developing for the operators of the mostly privately owned national critical infrastructure to share cyberthreat information with the government.
In February, President Obama issued an executive order that would create new, real-time information sharing programs that would provide American companies with classified and unclassified cyberthreat information [see Obama Issues Cybersecurity Executive Order]. The order establishes procedures to expedite the processing of security clearances to appropriate personnel employed by critical infrastructure operators.
But getting widespread participation in such a program would require legislative action to provide private companies liability protection for the information they share. The House has passed such legislation [see House Handily Passes CISPA], but the measure has stalled in the Senate after Obama threatened to veto the measure unless it's revised to curb the scope of liability protection afforded businesses and provide more privacy protections [see White House Threatens CISPA Veto, Again].
Model for Information Sharing
A report issued in April by the Government Accountability Office cited a DIB pilot program as a model for cyberthreat information sharing initiatives between the government and the communications sector, a designated critical infrastructure industry [see 6 Aspects of Cyberthreat Info Sharing Program].
Gregory Wilshusen, GAO director of information security issues, wrote in the report that the pilot programs undertaken by DoD with its DIB partners exhibit several attributes that could apply to the communications sector and help private sector entities more effectively secure the communications infrastructure they own and operate. "As DHS develops procedures for expanding this program," Wilshusen said, "considering these attributes could inform DHS's efforts."