What's as disturbing as the news of the Chinese hacking U.S. defense contractors' systems, revealed in a new Senate report, is that the contractors failed to notify the military of most of those intrusions.Why so? The military and contractors don't interpret contract provisions dealing with breaches the same way.
Most of the publicity arising from the release of the Senate Armed Services Committee report focused on the Chinese hacking critical systems - so, what else is new? But a big takeaway from the study, Inquiry Into Cyber Intrusions Affecting U.S. Transportation Command Contractors, is the failure of military contractors to share cyberthreat information with the Transportation Command, known as Transcom, a unified combatant command that provides transportation and logistics services to the U.S. military.
Information sharing is a hot topic these days, but what good is information sharing if parties can't agree on what information is to be shared? Sometimes, it seems that the contractors and government don't speak the same language, interpreting specific provisions in contracts differently.
"The contract language is ambiguous and none of the contractors with whom the committee discussed the clause interpreted their reporting obligation in a manner consistent with Transcom's intent," the report says.
Source of Confusion
Here's how Senate investigators determined the confusion occurred:
Transcom required its contractors to report intrusions that "affect DoD information." To Transcom, that means contractors must report any intrusion that allows access to a system on which DoD information resides or is in transit. But none of the contractors the committee investigators interviewed interpreted the clause that way.
One contractor, a civilian airline that ferries troops and equipment during a crisis, told investigators that it interpreted the clause to require reporting of intrusions of their systems only if those attacks affected DoD data, for example, through data exfiltration or corruption. Another civilian airline said it interpreted the clause to mean intrusions that only affected nonpublic DoD information.
"Setting aside the lack of common understanding between the command and its contractors about the cyber-incident reporting clause, Transcom's own view that reportable intrusions are limited to those that affect systems on which DoD information resides or transit leaves a critical gap," the report says.
More Protection Needed
Senate Armed Service Committee Chairman Carl Levin, D-Mich., says military divisions must improve the way they communicate cyber-vulnerabilities with other government agencies, including the FBI, as well as with their contractors. "Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur," he says.
The panel blamed the lack of contractor cyber-incident reporting on common misunderstandings between contractors and Transcom about the scope of cyber-intrusions that must be reported. Transcom's obliviousness to some intrusions was due to confusion about the rules governing how cyber-related information may be shared and a lack of common understanding between the command and other DoD components about what cyber-information Transcom needs to know.
"It is essential that we put into place a central clearinghouse that makes it easy for critical contractors, particular those that are small businesses, to report suspicious cyber activity without adding a burden to their mission support operations," says Sen. Inhofe, R-Okla., the committee's ranking member.
Committee investigators spent a year, ending in March, investigating the breaches and discovered that in a 12-month period beginning June 1, 2012, there were about 50 intrusions or other cyber-events into the computer networks of Transcom contractors. Investigators attributed at least 20 of those successful intrusions to an advanced persistent threat.
By Eric Chabrow (govinfosecurity)
