Have you been hacked? … you must disclose it!

During 2009 it was revealed that one of the primary defense contractor BAE Systems was hacked causing the exposure of sensible information on F-35 fighter jet. The reserved information were obtained by a group of hackers who accessed to internal server of the contractor, but BAE Systems admitted it only in 2012.

The attackers were subsequently identified as Chinese hackers, they were interested to steal the plans for the advanced vehicle, probably the stolen data have inspired the project  of Chinese stealth fighter recently presented.

The first attack occurred in 2007 but only in 2009 it was revealed when a senior U.S. defense official in Washington confirmed that hackers breached F-35 jet fighter program developed for the Pentagon by Lockheed Martin Corp. Chinese government always denied any responsibility.

It’s clear that the delay in divulgation of hacks could have serious consequences, in defense sector for example the lateness of public disclosure could advantage a foreign government that could benefit of information stolen in various ways. The stolen data could be used to reduce technological gap between contendents helping to successfully conduct military operations against the adversary.

The situation is destined to change, the amendment “H.R. 4310: National Defense Authorization Act for Fiscal Year 2013” to the defense budget, introduced by Sen. Carl Levin, obliges defense contractors to disclose any attack suffered. Of course the amendment has attracted considerable stir and indignation of the suppliers of the government who claim to have always worked in this direction.

In effect The Pentagon’s Defense Security Service already publish regularly a series of reports on the cyber attacks detected but meanwhile today denounce of hacks in the defense industry is voluntary in future it will be an obligation.

US Government is already inserting a specific clause in contracts that mandates reporting of security data breaches, the collected info could be used to prevent further attacks and to mitigate the effects of cyber threats.

Of course there are also strong supporters of the amendment, many experts sustain that it has to be extended also in private business and not only to defense, the disclosure of the effects of a cyber attack could prevent further damages.

Meanwhile US Government requests this effort to its contractors it has to provide same level of transparence at least within the its agencies and departments.

US government considers information as a fundamental “national asset” to ensure security of nation, the sharing of proper information among agencies, departments and defense contractors could improve security level of the country.

Today the sharing of information between companies and governments is very limited due the fear of private businesses to loss of competitiveness caused by the divulgation of wrong data.

The White House has issued a framework, National Strategy for Information Sharing and Safeguarding, to adopt in sharing information, the document explains the importance of data sharing:

“Our national security depends on our ability to share the right information, with the right people, at the right time,” “This information sharing mandate requires sustained and responsible collaboration between federal, state, local, tribal, territorial, private sector, and foreign partners.”

Murray Jennex, a cybersecurity expert and associate professor at San Diego State University, said:

“To be effective, any data-sharing requirements from the government would have to include immunity from lawsuits for the information transferred” “That’s really what hangs up people from sharing stuff about breaches,” “Because it does open them up to lawsuits, and without that relief, we won’t get sharing.”

An option could be the submission of information on cyber attacks and the failure of defensive measures anonymously.

The latest guidelines establish five goals,  such as the adoption of common processes, development of policies for information sharing by government entities, developing of network interoperability and shared services and data, implementation of safeguards to prevent violations of privacy and civil rights.

I have found on “CSO Security and Risk” web site a statement that I believe crucial to understand the importance of information sharing :

“While companies and government struggle over many issues related to data sharing, cybercriminals have established highly effective underground forums and chat rooms for sharing information, experts say. This has left their targets, companies and government agencies, at a disadvantage.”

No doubt, we are obliged to fill in the gaps with the concept of sharing

Pierluigi Paganini