USDoD New Cyber-Security Rules For Unclassified Data

The U.S. Defense Department, the target of 300 million attempts daily to probe its computer networks, wants to require its contractors to report hacking that compromises sensitive information.
Under a proposed regulation, companies would have to report the breach within 72 hours, preserve evidence and assist with the investigation. The proposal also would require companies to employ “basic” security measures such as encrypting data and installing software that detects intrusions.
“It’s all about raising the cyber barricade,” Paul Sternal, an agent with the Defense Criminal Investigative Service’s cyber-crimes unit, said in an e-mail.
While President Barack Obama has made cyber-security a priority, his administration hasn’t implemented a broad plan to fortify the defenses of the government’s computer networks.
In the meantime, the department is fortifying its cyber barriers and detection systems to fend off the 300 million daily attempts to get data, said Jim Lewis, a senior fellow at the Center for Strategic and International Studies, a Washington- based policy group, citing department statistics.
Pentagon officials plan to meet April 22 with defense industry representatives to get their input on the proposed change to the rules for purchasing weapons. The intent is to establish guidelines for securing sensitive, unclassified information that are similar to those for classified data.
The proposal uses “acquisition rules to change public behavior,” Lewis said.
Dale Meyerrose, who was the first chief information officer for U.S. intelligence operations, said the industry has been expecting tighter regulations for some time.
Rules “are not well spelled out for handling unclassified” information, said Meyerrose, now vice president and general manager of cyber-security for Harris Corp., a Melbourne, Florida-based maker of military radios.
Hackers frustrated by the Pentagon’s state-of-the-art computer defenses often attempt to get to information by infiltrating the system of a contractor connected to the department’s network, said Gunter Ollmann, vice president of research at Damballa Inc., an Atlanta-based security consultant.
“If you can’t break through the front door, you go through the side door,” he said.
Contractors are “a softer target” because they don’t spend as much money on beefing up computer security as the government does, Ollmann said.
Last year, the Wall Street Journal reported that computer spies penetrated the F-35 Joint Strike Fighter project, gaining access through vulnerabilities in contractors’ networks. Lockheed Martin Corp., the F-35’s manufacturer, denied the report.

Apptis Inc., a provider of information technology to the military, in February 2009 repaid $1.3 million of a $5.4 million Pentagon contract after investigators said the company provided inadequate computer security and a subcontractor’s system was hacked from an Internet address in China.
Sternal highlighted the need for the proposed regulation in a 2007 article published by the Pentagon inspector general’s office.
“The Defense Department has begun to receive a stream of reports about defense contractor networks being compromised and losing data,” he wrote.
Meyerrose said the proposed rule “takes out some of the ‘gray’” in current regulations on whether contractors have to report breaches.
Questions remain, though, on how the department can enforce the reporting requirement, he said.
Representative Loretta Sanchez, a California Democrat who heads the House Armed Services panel on terrorism, said the department needs to coordinate better with its contractors and protect sensitive information.
“This proposal will help us accomplish both goals,” she said in an e-mailed statement.

By Tony Capaccio and Jeff Bliss, Bloomberg News