Department of Defense to enforce breach reportingAugust 20, 2014 | Posted by Dan Raywood
A proposed report requiring reporting of breaches and a standard of cyber defence has been pushed back by a month by the US Department of Defense.
According to Bloomberg, companies that do business with the Defense Department will face new rules requiring them to report computer breaches to the Pentagon and give the Government access to their networks to analyse the attacks. However a report that was to be released on the rules has been pushed back until September 24th.
As the Defense Department plans to spend $23 billion through fiscal year 2018 on cyber security and requested $5 billion for 2015, the crux of the rule is designed to ensure companies handling classified data quickly inform the Pentagon of hacking attacks.
The rules will apply to contractors that have Pentagon security clearances to access, receive, or store classified information for the purpose of bidding on a contract or conducting activities in support of programs, according to language that lawmakers wrote to accompany the 2013 Defense Authorization Bill.
Contractors must report a description of methods used in an attack and provide a sample, if found, of the malicious software used, according to the lawmakers.
Sean Sullivan, security advisor at F-Secure, told IT Security Guru that he thought that Government should be demanding a standard of security from its contracting customers and partners, but he was unsympathetic to business who felt it had “the potential to become too onerous” if it requires contractors to report minor breaches.
Groups representing the contractors are raising concern about the Pentagon rooting around their data, and say smaller companies may not even have the cyber security protections needed to comply.
Asked if businesses could meet a level set by the Department of Defense, Sullivan said that the DoD needs to secure an incredibly vast set of networks and maintain varying degrees of access.
“The scale of the systems creates a great deal of complexity that needs to be dealt with,” he said. “It’s like needing to secure a city rather than a building. A small to medium enterprise needs to be prepared to defend and secure their building – and if it is breached – the business should be prepared to deal with those concerned with securing the bigger systems.”