CybersecurityInnovative U.S. cybersecurity initiative to address cyberthreats

Published 2 May 2014

Cyberattacks on computer networks around the world reached 1.7 billion in 2013, up from 1.6 billion in 2012. The administration’s 2012 Enhanced Cybersecurity Services(ECS) program, launched to protect the private sector from hackers by letting approved companies access classified information on cyber threats and sell cybersecurity services to critical infrastructure targets, is still in its early stages fourteen months after its launch.

Cyberattacks on computer networks around the world reached 1.7 billion in 2013, up from 1.6 billion in 2012, according to Kaspersky Lab. President Barack Obama’s 2012 Enhanced Cybersecurity Services (ECS) program, launched to protect the private sector from hackers by letting approved companies access classified information on cyber threats and sell cybersecurity services to critical infrastructure targets, is still in its early stages fourteen months after its launch.

Bloomberg News reports that Lockheed Martin Corporation, Raytheon Company, and sixteen other firms have been tentatively approved to participate in the program, but they have not been approved to handle the classified information. High profile attacks on Target Corporation and Neiman Marcus, along with attempts to destabilize Web sites of banks, including JPMorgan Chase & Company, could have been prevented if more firms were able to access the data the ECS program offered. “There’s a lot of information in the security world that should be known to others,” said Lars Harvey, chief executive officer of Internet Identity. “We need to speed up what we’re doing.”

The ECS program has been praised by security experts but the delay has also raised concerns. “Conceptually it’s a great idea,” said William Anderson, director of The Infrastructure Security Partnership. “I can understand why they would be holding off as long as they don’t have the assurance that the electronic sharing of the information is secure and done appropriately.”

Companies seeking to be service providers must have personnel with top secret security clearances and facilities to handle classified cyber-threat data. Lockheed plans to demonstrate its capability to use and protect both classified and unclassified threat information. “The overall schedule was driven by the engineering required to design, procure, build, test and accredit the system to ensure that we protect classified intelligence while securing our clients networks,” said Rich Mahler, director of commercial cybersecurity solutions at Lockheed. “Approving the integration of our unclassified security process with ECS has required additional government validation.” Once its system is approved by DHS, Mahler said Lockheed will be able to access the ECS system later this year.

A survey by the Ponemon Institute reports that roughly 61 percent of security experts believe that sharing cyber-threat intelligence could have prevented a cyber-attack their company experienced. Upon its launch, the ECS approved AT&T and CenturyLink to use classified cyber-threat data to sell security services to a list of approved critical infrastructure firms. A February 2013 executive order to expand the program led DHS to sign agreements with other firms seeking to be service providers. DHS must approve of the companies wishing to purchase security services from the providers. Bloomberg notes that DHS has approved forty of potentially thousands of companies who operate critical computer networks in the communications, energy, and defense industries.

Lockheed and Raytheon’s participation in the ECS program means that defense contractors will compete with Internet service providers to sell cybersecurity services. Jack Donnelly, director of global cybersecurity solutions for Raytheon, said there are potentially thousands of customers.