Defense bill would require contractors to notify DoD of cyber intrusions

In case you missed it, buried inside the 2013 defense authorization bill is a clause that would require defense contractors to notify the Pentagon any time they have suffered a "successful penetration." Section 936 of the bill requires that the Pentagon "establish a process" for defense contractors that have classified information on their networks to ...

U.S. Air Force
U.S. Air Force
U.S. Air Force

In case you missed it, buried inside the 2013 defense authorization bill is a clause that would require defense contractors to notify the Pentagon any time they have suffered a "successful penetration."

Section 936 of the bill requires that the Pentagon "establish a process" for defense contractors that have classified information on their networks to quickly report any successful cyber attacks against them to the Defense Department. Contractors must include a description of the "technique or method used in the penetration," and include samples of the "malicious software, if discovered and isolated by the contractor," reads the bill.

The bill would also require contractors to give DoD access to "equipment or information" to determine if any classified "information created by or for" the DoD had been stolen. It prohibits the Pentagon from distributing this information outside of DoD without the victim's approval.

In case you missed it, buried inside the 2013 defense authorization bill is a clause that would require defense contractors to notify the Pentagon any time they have suffered a "successful penetration."

Section 936 of the bill requires that the Pentagon "establish a process" for defense contractors that have classified information on their networks to quickly report any successful cyber attacks against them to the Defense Department. Contractors must include a description of the "technique or method used in the penetration," and include samples of the "malicious software, if discovered and isolated by the contractor," reads the bill.

The bill would also require contractors to give DoD access to "equipment or information" to determine if any classified "information created by or for" the DoD had been stolen. It prohibits the Pentagon from distributing this information outside of DoD without the victim’s approval.

(While a limitied number of contractors already participating in DoD’s cyber security program known as the DIB CS/IA already tell the Pentagon about such breaches, this law would cover all defense contractors, explained a Pentagon spokesman.)

Sound familiar? That’s because this language is similar to what Sens. Joe Lieberman (I-Ct.) and Susan Collins (R-Maine) wanted utilities, transportation companies, telecoms and banks to do with the Department of Homeland Security in the Cyber Security Act of 2012, which failed to advance in the Senate last month.

Advocates say Section 936, authored by Senate Armed Services Committee chairman Carl Levin (D-Mich) is badly needed given that U.S. businesses including defense contractors have had reams (billions of dollars worth, by some accounts) of sensitive data stolen by hackers in China and Russia. In fact, 2007 and 2008 Lockheed and other defense contractors working on the F-35 Joint Strike Fighter program (the biggest weapons buy in Pentagon history) were the victims of large-scale hacks that resulted in classified information about the jet being stolen, leading to a costly redesign of some of the plane’s systems.

It may be no coincidence that China recently produced a stealth fighter — the J-31 — that looks an awful lot like an F-35.

"This is really important. We shouldn’t belittle it — there’s a lot of this stuff going on," David Smith, director of the Potomac Institute’s Cyber Center, said during a Dec. 4 speech. "We’re basically funding the research and development for the People’s Liberation Army and the army of the Russian Federation and maybe a few others."

During a press conference after the Senate passed its version of the NDAA this week, Levin said, "I think it’s so obvious that if a defense contractor with classified information has their networks penetrated and attacked, that the government has to know about that."

John McCain (R-Ariz.), the top republican on the Senate Armed Services Committee, echoed Levin’s statements, saying that since defense contractors are spending public money, they should have to report security breaches.

"It’s the taxpayer’s dollar," said McCain, who opposed the Lieberman-Collins bill because he thought that the National Security Agency, not the civilian DHS, should have the lead in protecting critical infrastructure from cyber attack. "It’s nonsense to think that somehow the government should not be made aware of" cyber attacks against defense contractors.

John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.

More from Foreign Policy

An illustration shows George Kennan, the father of Cold War containment strategy.
An illustration shows George Kennan, the father of Cold War containment strategy.

Is Cold War Inevitable?

A new biography of George Kennan, the father of containment, raises questions about whether the old Cold War—and the emerging one with China—could have been avoided.

U.S. President Joe Biden speaks on the DISCLOSE Act.
U.S. President Joe Biden speaks on the DISCLOSE Act.

So You Want to Buy an Ambassadorship

The United States is the only Western government that routinely rewards mega-donors with top diplomatic posts.

Chinese President Xi jinping  toasts the guests during a banquet marking the 70th anniversary of the founding of the People's Republic of China on September 30, 2019 in Beijing, China.
Chinese President Xi jinping toasts the guests during a banquet marking the 70th anniversary of the founding of the People's Republic of China on September 30, 2019 in Beijing, China.

Can China Pull Off Its Charm Offensive?

Why Beijing’s foreign-policy reset will—or won’t—work out.

Turkish Defense Minister Hulusi Akar chairs a meeting in Ankara, Turkey on Nov. 21, 2022.
Turkish Defense Minister Hulusi Akar chairs a meeting in Ankara, Turkey on Nov. 21, 2022.

Turkey’s Problem Isn’t Sweden. It’s the United States.

Erdogan has focused on Stockholm’s stance toward Kurdish exile groups, but Ankara’s real demand is the end of U.S. support for Kurds in Syria.