Military Companies Brace for Rules on Monitoring Hackers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bloomberg.com/news/2014-08-13/military-companies-brace-for-rules-on-monitoring-hackers.html

Companies that do business with the Defense Department are bracing for new
U.S. rules requiring them to report computer breaches to the Pentagon and
give the government access to their networks to analyze the attacks.

Groups representing the contractors are raising concern about the Pentagon
rooting around their data, and say smaller companies may not even have the
cybersecurity protections needed to comply. A report that was to be
released today on the rules has been pushed back until Sept. 24, according
to a person familiar with the matter who isn’t authorized to speak publicly.

The pending rule change marks an escalation of efforts to understand the
scale of hacking as the Defense Department plans to spend $23 billion
through fiscal year 2018 on cybersecurity. The crux of the rule is designed
to ensure companies handling classified data quickly inform the Pentagon of
hacking attacks.

The effort “has the potential to become too onerous” if it requires
contractors to report minor breaches and allows the Pentagon access to
trade secrets or personal information on their networks, said Mike
Hettinger, senior vice president for the public sector at TechAmerica, a
trade association based in Arlington, Virginia, that represents Lockheed
Martin Corp. (LMT),Northrop Grumman Corp. (NOC) and other defense
contractors.

“The idea is to make sure we know where these breaches have been and
protect information that is in these systems, and not just make people
disclose for disclosure’s sake,” Hettinger said in an interview.

Congress mandated the rules as part of a budget authorization measure in
2013 for the Defense Department after repeated warnings from Pentagon
officials about hacking threats and successful incursions.

Business Costs

The 2013 law had called for the rules to be developed within 90 days.

Foreign hackers stole 24,000 U.S. military files in a single incident on a
defense contractor in March 2011 in one of the Pentagon’s worst
cyber-attacks. In May 2011, Bethesda, Maryland-based Lockheed suffered what
it called a “tenacious” attack on its computer networks, though the company
said no employee, program or customer data was lost.

“Cybersecurity is increasingly becoming the cost of doing business with the
federal government,” Daniel Stohr, director of communications for the
Aerospace Industries Association, said in a phone interview. “It’s
something as an industry that we have to face.”

Clear Guidance

The rules could have a far-reaching impact on small and medium-sized
companies and their vendors, though the exact cost is impossible to know
without the details, said Rusty Rentsch, assistant vice president for
technical operations at the Arlington, Virginia-based association, which
represents almost 150 companies including Boeing Co. (BA) and DigitalGlobe
Inc. (DGI)

Companies will be looking for clarity about what kind of breaches have to
be reported and what procedures need to be followed when incursions are
found, Rentsch said in a phone interview.

“We’re looking for clear guidance on how to implement whatever requirements
the government is looking to put into place,” he said. “We don’t want
contracting officers giving their personal interpretation of what this rule
would or should be.”

Companies also will want the Pentagon to share information about hacking
threats in order to help them better understand what to watch for, Rentsch
said.

Hacking risks are growing and top the list of global threats, Director of
National Intelligence James Clapper told the Senate’s intelligence
committee in January. It was the second year in a row that hacking threats
were the top concern.

Uniform Standards

A report last month from the federal commission that investigated the Sept.
11, 2001, terrorist attacks said cybersecurity is “the battlefield of the
future” and the nation’s ability to protect core networks lags far behind
the growing threat.

The rules will apply to contractors that have Pentagon security clearances
to access, receive, or store classified information for the purpose of
bidding on a contract or conducting activities in support of programs,
according to language that lawmakers wrote to accompany the 2013 defense
authorization bill.

Contractors must report a description of methods used in an attack and
provide a sample, if found, of the malicious software used, according to
the lawmakers.

The rulemaking also is an effort to create a uniform approach to what is
now contracting requirements to report hacking breaches on a case-by-case
basis at the Pentagon, said Harriet Pearson, a partner at the Washington
law firm Hogan Lovells.

“What it really means is any defense contractor who intends to be able to
handle classified information needs to review and update their breach
detection, response and reporting,” Pearson said in a phone interview. “Can
you detect if you’ve had an incident?”

“The new rules will help bring some clarity to the process that contractors
are expected to follow,” she said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!