Cyber security information sharing initiatives between government and industry took a major step forward recently with the appointment of Daniel Prieto to the Department of Defense (DOD) Chief of Information Office where he will be charged with enlarging information sharing between the Pentagon and the defense industrial base. Prieto, a former IBM executive will be a key player in efforts by the Pentagon, and the federal government as a whole, to reduce vulnerabilities to critical defense programs through industry outreach. This information sharing program is not new and in fact has grown in the past year with almost 100 contractors taking part in the DOD effort. In addition to making the Defense Department aware of breaches when they happen, the Department’s National Security Agency will notify companies of what their investigations have revealed about the specific malware.
As threats posed by cyber intrusions of defense industrial base networks increase with each passing year, the federal government wants, you, industry to participate in voluntary information sharing initiatives letting information security officers and commanders know when their information has been exposed as well as provide an avenue for government to share information to enhance your security. The National Defense Authorization Act of 2014, Executive Order 13636, and the Presidential Policy Directive-21, all signed in the last 7 months, contain key provisions aimed at facilitating information sharing between industry and government. Information sharing of course is not just limited to DOD and industry partnerships. The Executive Order released this February in particular, orders agencies to work more closely with companies who operate and own the nation’s critical infrastructure, such as banking, utility, and transportation networks and reinforce information sharing. The Order calls for the National Institute of Standards and Technology to put together a strategy on how the government and industry can pull together information on network security gaps and cyber breaches against critical components of our infrastructure. Comments and responses are being pooled with a final version of the plan expected early next year.
There are valid concerns that sharing information exposes weaknesses and would negatively affect reputations of participating companies. It also potentially gives federal agencies visibility into industry’s proprietary information if there has been an attack on their networks, or vulnerabilities in their supply chain by enhancing reporting requirements and vulnerability management tools. In order to address this unease, the breach reports are stripped of identifying information in order to make it as anonymous as possible. Right now, there are no laws requiring industry to share this information, but the path remains open for future action by the Executive Branch or Congress.
In order to help shape the future direction of public-private information sharing, those companies involved in infrastructure and programs critical to our economic and military security should keep the lines of communication open with government. Not being open and honest about vulnerabilities will only exacerbate problems down the road. Also remember, information sharing is a two way street. The government is obligated to help you mitigate any security gaps which will be beneficial to your business. The success of these initiatives within the Pentagon is a sign that healthy partnerships can work in getting a better handle on cyber intrusions affecting critical national interests and long-term solutions for addressing them.