Rogers was right, DoD-DHS cyber info sharing program has shrunk
The joint DoD-DHS program that provides defense contractors with protection from bad cyber actors identified by U.S. intelligence agencies has actually shrunk, contrary to the Pentagon’s earlier insistence otherwise. The Defense Enhanced Cybersecurity Services (DECS) program has been touted as one way that the U.S. government can partner with private "critical infrastructure providers" to boost ...
The joint DoD-DHS program that provides defense contractors with protection from bad cyber actors identified by U.S. intelligence agencies has actually shrunk, contrary to the Pentagon's earlier insistence otherwise.
The joint DoD-DHS program that provides defense contractors with protection from bad cyber actors identified by U.S. intelligence agencies has actually shrunk, contrary to the Pentagon’s earlier insistence otherwise.
The Defense Enhanced Cybersecurity Services (DECS) program has been touted as one way that the U.S. government can partner with private "critical infrastructure providers" to boost their online defenses. Under DECS, businesses pay their Internet service providers (ISPs) a fee to receive extra protection from specific threat signatures that have been identified by American spy agencies as being malicious. (Those signatures — collected via secret means — are given to the ISPs by the U.S. government.)
The program ran in pilot mode for nearly two years with 17 member companies subscribing, and it was opened up to a broader swath of companies last month.
However, several weeks ago, Rep. Mike Rogers (R-Mich.), chair of the House intelligence committee claimed that, while DECS is a good idea, the program has been shrinking, something the Pentagon denied. Until now.
"At the end of the operational pilot, one of the commercial service providers withdrew," a Pentagon spokesman explained in an Oct. 24 email. "During the operational testing of the pilot, five of the 17 DIB companies chose to withdraw and reallocate their resources to other corporate priorities."
That leaves 12 companies that are participating in the DECS program. Four of the five companies that quit during the pilot are considering rejoining a modified version of the program, according to DoD. These companies would cut out the ISPs as middlemen and receive threat signatures straight from the government, allowing them to monitor their own networks without paying the ISPs.
"Four of the five companies that withdrew are now reviewing the documentation for the permanent DECS component to determine whether to become an operational implementer, wherein they would be authorized to implement the services for their own networks," reads the email.
The Pentagon explained its earlier insistence that the DECS program still had 17 members by saying that since the program involves relationships between the defense contractors and ISPs, it did not receive updates on how many companies where actually participating.
"Under DECS, the services are primarily a relationship between the companies and their commercial service providers," reads the email. "Participating companies are not obligated to report data about their participation on a regular basis. When DoD responded to queries from the press on the number of companies that were participating in the program early last week, DoD used the best information available at the time. Subsequent further direct engagement with each company resulted in the more specific count above. To support House Permanent Select Committee on Intelligence (HPSCI) inquiries, DoD contacted each of the original 17 pilot participants for feedback and status."
Meanwhile, the larger initiative to which DECS belongs — the Defense Industrial Base Cybersecurity Assurance (DIB CS/IA) program — has been growing as advertised since it was opened to a large number of defense companies in May 2012, according to the Pentagon. DIB CS/IA allows for information-sharing about cyber threats between defense companies and the government.
"Since May 2012, the DIB CS/IA program has expanded from 34 to 65 companies, with new companies joining every week," read the spokesman’s email. "In addition, since DoD recently finalized the processes for DIB CS/IA participants to join DECS, DoD continues to inform DIB companies of the availability of the services offered in the baseline DIB CS/IA program and the enhanced services under DECS."
John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.
More from Foreign Policy
At Long Last, the Foreign Service Gets the Netflix Treatment
Keri Russell gets Drexel furniture but no Senate confirmation hearing.
How Macron Is Blocking EU Strategy on Russia and China
As a strategic consensus emerges in Europe, France is in the way.
What the Bush-Obama China Memos Reveal
Newly declassified documents contain important lessons for U.S. China policy.
Russia’s Boom Business Goes Bust
Moscow’s arms exports have fallen to levels not seen since the Soviet Union’s collapse.