Last week, Rep. Mike Rogers (R-Mich.) slammed the Pentagon program allowing some businesses to share information on cyber attacks with the government and receive help in defending against those attacks. Rogers claimed that since being expanded to include the Department of Homeland Security, the DECS program (or DIB-pilot project, as it's also known) has been bleeding members.
"The president said about a year ago that we want to have a thousand companies engaged in the DIB pilot. That was about a year ago. This oughta say everything we need to know...guess how many companies we have participating?" asked Rogers during a speech at the U.S. Chamber of Commerce. "I'll tell you: less than 20. We've lost somewhere between five and seven companies, no gains, no effort to get more people involved."
The only problem with his very public statement? It's wrong, according to Pentagon officials, who have been claiming over the last month that companies have been lining up to join the overall DIB program -- called the Defense Industrial Base Cyber Security Information Assurance program (DIB CS/IA).
When we first wrote about Rogers' comments last Friday, a Pentagon spokesman said this was the first he'd heard that any part of the program was struggling. Over the long weekend, we received more info from the Defense Department.
It turns out that specific the subset of the DIB program Rogers was talking about -- officially known as the DIB Enhanced Cybersecurity Services (DECS) program -- didn't have 20 members when it was in pilot mode, it had 17, and it has kept those members.
"The DIB CS/IA program has an optional component, called the DIB Enhanced Cybersecurity Services (formerly the DIB Cyber Pilot), which is a DoD-Department of Homeland Security partnership," wrote a Pentagon spokesman in an email. "In September 2012, DoD made DECS available to all companies participating in the DIB CS/IA program. Seventeen companies participated in the DIB pilot and continue to participate in DECS. Under DECS, DoD, via DHS, provides classified cyber threat information and technical countermeasures to DHS-authorized Commercial Service Provider (CSP), who can then provide a fee-based managed cyber security service to interested DIB CS/IA companies."
(Here's the plain English explanation of DECS: Defense companies who sign up for it -- yes, it's a pay-for-services program -- get protection against cyber threats from their Internet providers. These providers have received information on malicious Internet signatures identified by U.S. intelligence agencies as well as "technical countermeasures" from the intel agencies to defend against these threats.)
So while DECS hasn't grown since being opened up to a broader number of companies last month, it hasn't lost five to seven members as claimed by Rogers.
Keep in mind that the Michigan Republican, who chairs the House intelligence committee, is pushing the Senate to pass a controversial bill allowing for broad information-sharing between private companies and the government in near real-time and protecting them from lawsuits for improperly sharing private citizens' information. Arguing that the Pentagon's current info-sharing program isn't working would only bolster his push for legislation.
According to the same Defense Department spokesman, the overall DIB program (DIB CS/IA) has more than 60 companies and 80 subsidiaries participating, with more applying to join each week.
"DoD opened the DIB CS/IA program to all eligible DIB companies in May 2012 with the publication of a federal rule," said the Pentagon spokesman. "Over 60 companies and approximately 80 wholly-owned subsidiaries now participate in the DIB CS/IA program. New companies apply to join the program each week. DoD estimates that the companies currently participating represent roughly 70 percent of" big defense contractors where DoD spends its weapons buying cash.
Under the basic DIB CS/IA program, DoD provides defense contractors with classified and unclassified cyber threat information and advice on best practices for keeping their information safe. DIB participants, in turn, report cyber incidents for analysis, coordinate on mitigation strategies, and participate in cyber intrusion damage assessments if information about DoD is compromised.
Update: Rogers office emailed Killer Apps last night strongly disputing the Pentagon's claims that there are 17 companies particpating in DECS.
Here's what his office has to say:
The [House Permanent Select Committee on Intelligence] has heard directly from the telecommunications providers participating in DECS that several companies have left the program since the DIB Pilot Program ended. DoD and DHS confirmed in a briefing last week that of the 17 companies that participated in the original DIB pilot, only 8 remain.
The fact that half of the original companies have voted with their feet and left the program is more evidence that we need to pass an information sharing bill. Even if all 17 original DIB pilot companies were still in the program, it would be nothing to be happy about - this program should already be rapidly expanding to cover thousands of U.S companies throughout the U.S. economy to get them the protection they need from advanced cyber threats like China.
The Department of Defense (DoD) should be very proud of what they accomplished under the DIB Pilot Program, which demonstrated a revolutionary new model for sharing classified cyber threat information with the private sector. Unfortunately, legal and policy obstacles are holding back DoD’s efforts to expand this model – we urgently need to pass an information sharing bill to overcome these obstacles.
DoD meanwhile, tells Killer Apps it stands by its claim that DECS has 17 member companies.
Without a list of member companies, there's no way of knowing who is right, so Killer Apps is moving on.
John Reed reports on the frontiers of cyber war and the latest in military technology for Killer Apps.