ARLINGTON, Virginia (Reuters) - The U.S. government is close to completing rules for a long-awaited expansion of the number of defense contractors with which it swaps data on cyber threats, the Defense Department’s chief information officer said on Tuesday.
The number of companies would jump from 37 currently to 200, Teri Takai, the chief information officer, told a forum in Arlington, Virginia.
Takai said she hoped that a federal rule-making process under way would wrap up within the next 60 days amid what she and other Pentagon officials describe as mounting cyber threats to U.S. high-tech companies.
The companies will have to agree on a protocol for information-sharing among themselves and with the Defense Department, which will act as coordinator for the Defense Industrial Base Cyber Security and Information Assurance program.
There was a “waiting list” of those keen to join, Takai told the forum organized by Representative Jim Moran, a Democrat whose Virginia district is home to many information-technology and defense contractors.
The cyber threat to U.S. aerospace, defense and other high-technology companies “is increasing at a rapid and accelerating rate,” Rear Admiral Samuel Cox, director of intelligence for the military’s Cyber Command, told the session.
The Office of the National CounterIntelligence Executive, a U.S. intelligence arm, said in an unclassified report to Congress in October that China and Russia were in the forefront of keyboard-launched theft of U.S. trade and technology secrets to bolster their fortunes at U.S. expense.
Cox, replying to a question from Reuters after the event, said that the “amount of cyber exploitation by China continues to increase significantly” with what he suggested was the approval of the authorities in Beijing.
As the Defense Department has become better at defending its own classified and unclassified networks, Cox said, adversaries tend to go after “softer targets” such as defense contractors and other private vendors.
“And they’re having significant success in that regard,” he said.
Expansion of the program, which began in 2007, would let the Defense Department, including the communications-intercepting National Security Agency, share more sensitive data with private companies to counter the threat and get valuable information from the companies.
The initial effort provided for sharing of cyber threat-related intelligence only up to the “secret” level. Last year, the Defense Department added more sensitive classified information to the pilot group while working out procedures and a legal framework for a broader base.
Takai told reporters that the program eventually could be expanded to all the Pentagon’s suppliers who qualify under the rules. She said the companies would receive information on threats and solutions applied to thwart them.
Andy Purdy, chief cyber strategist at CSC, a major information technology supplier, said the program might eventually bring together as many as 2,000 U.S. companies in a public-private partnership, including some running crucial infrastructure.
President Barack Obama has requested $3.4 billion in his fiscal 2013 budget to boost the Defense Department’s cyber defenses. Congress is likely to provide all of this “because this is going to have to be our highest priority,” Moran told the forum.
Separately, the Department of Homeland Security is working with the Defense Department on what is now known as the Joint Cybersecurity Services Pilot program, formerly the Defense Industrial Base pilot.
“No decision has been made on whether, when, or how to expand the coverage of the JCSP beyond the current participants,” a Homeland Security official said.
That program involves sharing sensitive threat-related information with unspecified Internet service providers who then relay it to the companies involved in the pilot. Its expansion also hinges on completion of the federal rule-making process, Takai said.
Reporting By Jim Wolf; Editing by Tim Dobbyn