Companies that do business with the Defense Department are bracing for new U.S. rules requiring them to report computer breaches to the Pentagon and give the government access to their networks to analyze the attacks.
Groups representing the contractors are raising concern about the Pentagon rooting around their data, and say smaller companies may not even have the cybersecurity protections needed to comply. A report that was to be released today on the rules has been pushed back until Sept. 24, according to a person familiar with the matter who isn’t authorized to speak publicly.
The pending rule change marks an escalation of efforts to understand the scale of hacking as the Defense Department plans to spend $23 billion through fiscal year 2018 on cybersecurity. The crux of the rule is designed to ensure companies handling classified data quickly inform the Pentagon of hacking attacks.
The effort “has the potential to become too onerous” if it requires contractors to report minor breaches and allows the Pentagon access to trade secrets or personal information on their networks, said Mike Hettinger, senior vice president for the public sector at TechAmerica, a trade association in Arlington, Virginia, that represents Bethesda-based Lockheed Martin Corp., Northrop Grumman Corp. and other defense contractors.
“The idea is to make sure we know where these breaches have been and protect information that is in these systems, and not just make people disclose for disclosure’s sake,” Hettinger said in an interview.
Congress mandated the rules as part of a budget authorization measure in 2013 for the Defense Department after repeated warnings from Pentagon officials about hacking threats and successful incursions.
The 2013 law had called for the rules to be developed within 90 days.
Foreign hackers stole 24,000 U.S. military files in a single incident on a defense contractor in March 2011 in one of the Pentagon’s worst cyber-attacks. In May 2011, Bethesda, Maryland-based Lockheedsuffered what it called a “tenacious” attack on its computer networks, though the company said no employee, program or customer data was lost.
“Cybersecurity is increasingly becoming the cost of doing business with the federal government,” Daniel Stohr, director of communications for the Aerospace Industries Association, said in a phone interview. “It’s something as an industry that we have to face.”
The rules could have a far-reaching impact on small and medium-sized companies and their vendors, though the exact cost is impossible to know without the details, said Rusty Rentsch, assistant vice president for technical operations at the Arlington, Virginia-based association, which represents almost 150 companies including Boeing Co. and DigitalGlobe Inc.
Companies will be looking for clarity about what kind of breaches have to be reported and what procedures need to be followed when incursions are found, Rentsch said in a phone interview.
“We’re looking for clear guidance on how to implement whatever requirements the government is looking to put into place,” he said. “We don’t want contracting officers giving their personal interpretation of what this rule would or should be.”
Companies also will want the Pentagon to share information about hacking threats in order to help them better understand what to watch for, Rentsch said.
Hacking risks are growing and top the list of global threats, Director of National Intelligence James Clapper told the Senate’s intelligence committee in January. It was the second year in a row that hacking threats were the top concern.
A report last month from the federal commission that investigated the Sept. 11, 2001, terrorist attacks said cybersecurity is “the battlefield of the future” and the nation’s ability to protect core networks lags far behind the growing threat.
The rules will apply to contractors that have Pentagon security clearances to access, receive, or store classified information for the purpose of bidding on a contract or conducting activities in support of programs, according to language that lawmakers wrote to accompany the 2013 defense authorization bill.
Contractors must report a description of methods used in an attack and provide a sample, if found, of the malicious software used, according to the lawmakers.
The rulemaking also is an effort to create a uniform approach to what is now contracting requirements to report hacking breaches on a case-by-case basis at the Pentagon, said Harriet Pearson, a partner at the Washington law firm Hogan Lovells.
“What it really means is any defense contractor who intends to be able to handle classified information needs to review and update their breach detection, response and reporting,” Pearson said in a phone interview. “Can you detect if you’ve had an incident?”
“The new rules will help bring some clarity to the process that contractors are expected to follow,” she said.