Remember back in August when we talked about former DepSecDef Bill Lynn's cyber-security pilot program for the defense industrial base? The game plan was for the Pentagon to open at least part of its rogue's gallery of viruses, malware and who knows what else to the cyber-security teams of the big contractors, to help them stand a better chance against all the intrusions and attacks these days.
Well, as AP's Lolita Baldor reports, everyone sounds pretty pleased with this concept so far. And as you'll read, the cyber-momentum the Pentagon has gained here could wind up pushing another big federal agency -- the Department of Homeland Security -- toward closing up some of the cyber-Swiss cheese that is in U.S. cyber-security:
The Pentagon's pilot program represents a key breakthrough in the Obama administration's push to make critical networks more secure by sharing intelligence with the private sector and helping companies better protect their systems. In many cases, particularly for defense contractors, the corporate systems carry data tied to sensitive U.S. government programs and weapons.Wow, candor! Usually cyber-security discussions at the congressional level are all "we need to get a dialogue going and talk about our feelings," not actual details about what actually needs to happen. It'll be very interesting to see where this goes -- whether DHS shirks or embraces the prospect of being officially designated as the cyber-watchdog for the private sector, which might bring both new funding and authorities but also new pressure in case of a major "security surprise." But it might be a step toward finally resolving one of the central cyber-bugbears: Which agencies are going to be responsible for which jobs?
So far, the trial program involves at least 20 defense companies. It will be extended through mid-November, amid ongoing discussions about how to expand it to more companies and subcontractors.
"The results this far are very promising," said William Lynn, the deputy secretary of defense who launched the program in May. Lynn, who has just left office, said the government should move as quickly as possible to expand the protections to other vital sectors.
A senior DHS official said no decisions have been made, but any effort to extend the program — including to critical infrastructure — faces a number of challenges. The official, who spoke on condition of anonymity because the program review is ongoing, said it would be helpful if Congress would pass legislation that explicitly says DHS is responsible for helping private sector companies protect themselves against cyberattack. Also, the legislation should say that companies can be protected from certain privacy and other laws in order to share information with the government for cybersecurity purposes, the official said.