Top-level defense contractors like General Dynamics and Lockheed Martin are in close collaboration with the Pentagon to develop a cyber security arsenal capable of allowing the Defense Department to defend its networks and attack other networks around the world.
The partnership’s existence is confirmed in a 2011 Pentagon strategy document for operating in cyberspace. According to Richard Bejtlich, chief security officer at MANDIANT, a cyber security firm based in Northern Virginia, this partnership has been increasingly active as the Pentagon has increased cyber security efforts.
“Top tier contractors in the defense industrial base are all part of an information sharing program. These companies are doing original research and sharing it amongst themselves and the Pentagon,” he said. “The team is highly functioning and they find stuff that other people don’t find.”
With recent cyber attacks on high profile media companies like The New York Times and Wall Street Journal, and threats to the nation’s energy grid and financial institutions, a new sense of urgency has taken hold.
Bejtlich, who teaches cyber defense classes to the military, said that this collaboration provides the backbone of the nation’s cyber defense. The extent of the work is classified, but recent reports indicate that the United States recently infiltrated computer systems at Iran’s Natanz nuclear facility.
The top defense contractors that are working with DOD aren’t participating out of patriotism: they’re doing it because the Pentagon requires it.
“These same companies have to report intrusions as part of their contracts with DOD,” Bejtlich said. “You’ll see reports that come out on a yearly basis by the Defense Security Service.”
The recent executive order signed by President Obama requiring federal agencies and private businesses to bolster cyber defenses is going to increase collaboration between the public and private sectors. But it also raises serious questions about the evolving rules of cyber warfare. And it is creating concerns about the readiness of smaller companies who don’t have sophisticated cyber defenses.
Rules of engagement
Cyber warfare is drastically changing how war is fought and who is fighting it. The Pentagon says it is working on rules of engagement, but has yet to publish them. This leaves legal uncertainty about who is allowed to do what to a hacker.
Take this example. A large private company has its computers breached. After some investigation, the company determines the hackers are working for the Chinese government. The cyber security team at the company begins to defend its systems, and eventually repels the attack.
But in the course of the defense, the company notices an opening that would prevent the Chinese hackers from ever attacking the company again. They plant a virus in the Chinese system and then retreat.
The whole situation sounds innocuous. But in the cyber world, this constitutes a battle. And in this battle, an American company just committed an act or war against China.
“It’s a little bit like a vigilante force. It’s one of the few times its acceptable for a private company to form a posse,” said Larry Ponemon, founder of the Ponemon Institute, a think tank that studies data privacy. “You don’t want people taking things into their own hands, but sometimes you need to have a collaborative relationship with law enforcement.”
It’s also not clear when a cyber attack warrants a traditional military response. The Defense Department has said that all options are on the table in terms of retaliation to the cyber threat. But it’s set no bar on what the nature of an attack would be.
“The event that would catch everyone’s attention is one in which people die, or there’s a catastrophe that results in the lost of life,” said Bejtlich. “If that were to occur, the Secretary of Defense has said that they do not reserve the right of cyber for cyber. If someone were to have a cyber attack, we reserve the right to have a conventional strike.”
Unprepared for the threat
According to Bejtlich, banks, utility companies, and defense contractors are the only ones adequately prepared for a cyber strike. Yet even as these companies have sophisticated cyber operations, they have been infiltrated in the past.
Last year, hackers attacked PNC, JP Morgan Chase, U.S. Bank, Wells Fargo and Bank of America. The U.S. government blamed the attacks on Iran. NJVC, a defense contractor, was also reportedly hacked by the Chinese last month.
The vulnerabilities at large companies are troubling for smaller companies who are far behind in cyber security. The executive order is supposed to bolster cyber defense at smaller firms, but the results of the order – and the companies’ implementation of the federal recommendation - are years away.
“Hackers are testing the limits, and they haven’t caused massive amounts of damage. But it’s like a test flight before the bombing of Pearl Harbor. It’s just a matter of time before they start to do some very serious damage,” Ponemon said.
He added: “The state of the cyber world is not good. Attack vectors are becoming more stealthy and complex to deal with.”