Defense bill would require contractors to notify DoD of cyber intrusions

In case you missed it, buried inside the 2013 defense authorization bill is a clause that would require defense contractors to notify the Pentagon any time they have suffered a "successful penetration."

Section 936 of the bill requires that the Pentagon "establish a process" for defense contractors that have classified information on their networks to quickly report any successful cyber attacks against them to the Defense Department. Contractors must include a description of the "technique or method used in the penetration," and include samples of the "malicious software, if discovered and isolated by the contractor," reads the bill.

The bill would also require contractors to give DoD access to "equipment or information" to determine if any classified "information created by or for" the DoD had been stolen. It prohibits the Pentagon from distributing this information outside of DoD without the victim’s approval.

(While a limitied number of contractors already participating in DoD’s cyber security program known as the DIB CS/IA already tell the Pentagon about such breaches, this law would cover all defense contractors, explained a Pentagon spokesman.)

Sound familiar? That’s because this language is similar to what Sens. Joe Lieberman (I-Ct.) and Susan Collins (R-Maine) wanted utilities, transportation companies, telecoms and banks to do with the Department of Homeland Security in the Cyber Security Act of 2012, which failed to advance in the Senate last month.

Advocates say Section 936, authored by Senate Armed Services Committee chairman Carl Levin (D-Mich) is badly needed given that U.S. businesses including defense contractors have had reams (billions of dollars worth, by some accounts) of sensitive data stolen by hackers in China and Russia. In fact, 2007 and 2008 Lockheed and other defense contractors working on the F-35 Joint Strike Fighter program (the biggest weapons buy in Pentagon history) were the victims of large-scale hacks that resulted in classified information about the jet being stolen, leading to a costly redesign of some of the plane’s systems.

It may be no coincidence that China recently produced a stealth fighter — the J-31 — that looks an awful lot like an F-35.

"This is really important. We shouldn’t belittle it — there’s a lot of this stuff going on," David Smith, director of the Potomac Institute’s Cyber Center, said during a Dec. 4 speech. "We’re basically funding the research and development for the People’s Liberation Army and the army of the Russian Federation and maybe a few others."

During a press conference after the Senate passed its version of the NDAA this week, Levin said, "I think it’s so obvious that if a defense contractor with classified information has their networks penetrated and attacked, that the government has to know about that."

John McCain (R-Ariz.), the top republican on the Senate Armed Services Committee, echoed Levin’s statements, saying that since defense contractors are spending public money, they should have to report security breaches.

"It’s the taxpayer’s dollar," said McCain, who opposed the Lieberman-Collins bill because he thought that the National Security Agency, not the civilian DHS, should have the lead in protecting critical infrastructure from cyber attack. "It’s nonsense to think that somehow the government should not be made aware of" cyber attacks against defense contractors.