Government to Share Cyber Security Information with Private Sector

By Joseph Menn | May 15, 2013
Janet Napolitano

The U.S. government will use classified information about software vulnerabilities for the first time to protect companies outside of the military industrial complex, top officials told Reuters this week.

Secretary of Homeland Security Janet Napolitano said that a system being developed to scan Internet traffic headed toward critical businesses would block attacks on software programs that the general population does not realize are possible.

“It is a way to share information about known vulnerabilities that may not be commonly available,” Napolitano said at the Reuters Cybersecurity Summit in Washington, D.C.

Janet Napolitano

Janet Napolitano

The information would come from “a variety of sources” including intelligence agencies, she said on Tuesday.

The National Security Agency and other intelligence agencies develop and acquire knowledge about software flaws in order to penetrate overseas networks. Until now, there has been no straightforward way for these agencies to share that classified data with U.S. companies outside the defense sector, even though those companies could become victims of cyber attacks.

The plan is to discreetly share the data through what the government calls Enhanced Cybersecurity Services. Under a February presidential order, those services will be offered by telecommunications and defense companies to utilities, banks and other critical infrastructure companies that choose to pay for them.

Napolitano’s Department of Homeland Security will take the information from the NSA and other sources, and relay it to service providers with security clearances. The service providers would then use these “attack signatures” – such as Internet routing data and content associated with known adversary groups – to screen out malicious traffic.

Napolitano’s comments were the first disclosure that the screening would also cover attacks on software using methods known to the government that have not been disclosed to the software manufacturers or buyers.

While U.S. intelligence agencies have at times warned software manufacturers, such as Microsoft Corp. and Google Inc., or Homeland Security officials of specific, declassified problems, the new system will be machine-to-machine and far more rapid.

It reflects the realization that many espionage attacks from overseas are aimed at the private sector and that future destructive attacks may arrive the same way. (Classified attack signatures have been used to protect defense manufacturers under a Pentagon program.)

House of Representatives Intelligence Committee Chairman Mike Rogers said he was glad about the plan to share more broadly information about vulnerabilities, while maintaining control of the process to avoid tipping off rival countries or criminals.

“This can’t happen if you post it on a website,” Rogers, a Republican and lead author of a cybersecurity information-sharing bill that has passed the House, told the Summit. “We have to find a forum in which we can share it, and 10 providers serve 80 percent of the market. We have classified relationships with a good number of them.”

Among those that have agreed to provide the classified security services are AT&T Inc. and Raytheon Co. Northrop Grumman Corp. said this week it had also joined the program.

The secret but widespread U.S. practice of buying up tools leveraging unknown or “zero-day” software flaws for spying or attacks was the subject of a Reuters Special Report last week, in which former White House cybersecurity advisors said more flaws should be disclosed for defensive reasons.

Michael Daniel, the White House cybersecurity policy coordinator, told the Summit the Enhanced Cybersecurity Services program was still evolving and the type of information shared would change as threats do.

“We want to use the full capabilities that we have to protect as much of the critical infrastructure as we can with that program,” he said.

(Reporting by Joseph Menn; Editing by Tiffany Wu and Leslie Gevirtz)

 

Subscribe Like this article?
Subscribe to our free email newsletter.

Latest Comments

  • May 21, 2013 at 1:57 pm
    bangersandmash says:
    They may view you as a cyber threat for asking the question.
  • May 20, 2013 at 2:36 pm
    ExciteBiker says:
    Words and language are very important. I noticed that government here proposes to "share" cyber security information...by monitoring the internet traffic flowing to busnesses.... read more
  • May 17, 2013 at 10:56 am
    LiveFree says:
    Exactly what I thought. The Government has this grand illusion that they are better than the private sector at most things when in reality it is quite the opposite. I see this... read more
See all comments

Add a Comment

Your email address will not be published. Required fields are marked *

*

More News
More News Features