|
The Cyber Intelligence Sharing and Protection Act (CISPA) might becast into doubt in the wake of a Department of Defense announcementlast week that as many as 1,000 defense contractors -- and possiblythousands more -- may voluntarily join an expanded program ofsharing classified information on cyber threats with the federalgovernment. The program, known as the Defense Industrial Base CyberSecurity/Information Assurance, or DIB CS/IA, has been in a pilotphase for the past four years with only 37 contractors. Theexpansion, recently approved by the Obama administration, meansabout 8,000 contractors cleared to work with DoD intellectualproperty are being invited to participate. Bloomberg BusinessWeek reports that if this expansion "proves successful in safeguarding defensecontractors from cyber attacks, the administration may enlarge theprogram to companies in 15 other critical infrastructure categoriesthrough the Department of Homeland Security," Eric Rosenbach,deputy assistant secretary of defense for cyber policy, said. This, if it works as expected, could prompt those arguing overCISPA, recently passed by the U.S. House , along with other similar pending legislation in Congress, towonder how necessary it all is. Why mandate information sharingwith the government if it can happen voluntarily? [See also: CISPA enjoys wide backing from enterprises ] Jason Healey, director of the Cyber Statecraft Initiative of theWashington, D.C. think tank Atlantic Council, says while "thereabsolutely are similarities" between DIB and the variouslegislative efforts, that there are "lots of other bits" in thosebills -- such as mandatory security standards. "Some legislation isnecessary," he says. Dan Philpott, an expert in federal cybersecurity and editor of FISMApedia , says DIB CS/IA is "a much lighter version" of CISPA. He saysanother reason the program could not replace cybersecurity law isbecause it is unlikely that anything close to 8,000 contractorswill volunteer to enter it. He believes the DoD is being optimisticeven with an estimate of 1,000. "I think they'd be happy with 500,"he says. Beyond that, there is debate over how worthwhile and effective DIBCS/IA has been and will be. There is broad agreement that thethreat of cyberattacks is increasing at "a rapid and acceleratingrate," in the words of Rear Admiral Samuel Cox, director ofintelligence for the military's Cyber Command, at a forum lastmonth. And the goal of the DIB expansion is for more sharing of databetween private defense contractors and the DoD'sintelligence-gathering arm, the National Security Agency. RichardA. Hale, deputy chief information officer for cybersecurity, told the American Forces Press Service, "We started the program in anattempt to share cyber-threat data with these companies in a waythat allowed the companies to act on that information immediately,"and called it, "an important step forward in our ability to catchup with widespread cyber threats." But Healey, speaking to Reuters last week, expressed some skepticism about whether the benefits ofDIB CS/IA would be worth the cost to contractors. "The DIB pilotprobably increases the defenders' work factor much more than itincreases the attackers," he said. "This is a lot of work and a lotof taxpayer dollars for something that has apparently not proven itcan increase security more than on the margins." Healey says he is "very pleased to see DoD saying they could scalethis to 8,000 companies." But he still thinks the department couldbe much more efficient in its dealings with private industry. In an article in The Atlantic , Healey argues that the NSA should simply declassify much of its database ofmalware "signatures." While he acknowledges that critics will argue that such actionwould, "compromise our sensitive collection sources and methods.[But] in truth, the extreme classification surrounding most ofthese signatures protect little but bureaucratic inertia. GeneralMichael Hayden, a past NSA director, made this case best, saying,'Let me be clear: This stuff is overprotected.'" "More importantly, the Internet is an open network and anyadversary that uses novel malicious software knows it willeventually be discovered," he said. Philpott adds that in the information security community,"signature-based security is becoming kind of looked down on. It'sinherently weak because only identifies things that have alreadyhappened." Healey writes in The Atlantic that NSA's signature database, while "considered among the crownjewels of the U.S. government's defense capabilities ... may not beas awe-inspiring as advertised." He adds: "And independent reviewfound only marginal benefit" to contractors like Northrop Grummanor Lockheed Martin. "Only 1% of the attacks were detected using NSA threat data thatthe companies did not already have themselves," Healey says. He argues that a more effective system would be an "independentclearinghouse for signatures. NSA might anonymously add itssignatures ... and further wash their source by mixing them withsignatures from security companies and even with other nations'intelligence agencies." "This option would create the world's best-ever signature database... and any organization that contributes their signaturecollection would then able to use the full database," Healey says. Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section. We are high quality suppliers, our products such as Waterproof Fluorescent Light Fixtures , Flat Panel Led Lights for oversee buyer. To know more, please visits Flat Panel Led Lights.
Related Articles -
Waterproof Fluorescent Light Fixtures, Flat Panel Led Lights,
|
