Home Editor's News Department of Defense to enforce breach reporting

Department of Defense to enforce breach reporting

August 20, 2014 | Posted by Dan Raywood

A proposed report requiring reporting of breaches and a standard of cyber defence has been pushed back by a month by the US Department of Defense.

 

According to Bloomberg, companies that do business with the Defense Department will face new rules requiring them to report computer breaches to the Pentagon and give the Government access to their networks to analyse the attacks. However a report that was to be released on the rules has been pushed back until September 24th.

 

As the Defense Department plans to spend $23 billion through fiscal year 2018 on cyber security and requested $5 billion for 2015, the crux of the rule is designed to ensure companies handling classified data quickly inform the Pentagon of hacking attacks.

 

The rules will apply to contractors that have Pentagon security clearances to access, receive, or store classified information for the purpose of bidding on a contract or conducting activities in support of programs, according to language that lawmakers wrote to accompany the 2013 Defense Authorization Bill.

 

Contractors must report a description of methods used in an attack and provide a sample, if found, of the malicious software used, according to the lawmakers.

 

Sean Sullivan, security advisor at F-Secure, told IT Security Guru that he thought that Government should be demanding a standard of security from its contracting customers and partners, but he was unsympathetic to business who felt it had “the potential to become too onerous” if it requires contractors to report minor breaches.

 

Groups representing the contractors are raising concern about the Pentagon rooting around their data, and say smaller companies may not even have the cyber security protections needed to comply.

 

Asked if businesses could meet a level set by the Department of Defense, Sullivan said that the DoD needs to secure an incredibly vast set of networks and maintain varying degrees of access.

 

“The scale of the systems creates a great deal of complexity that needs to be dealt with,” he said. “It’s like needing to secure a city rather than a building. A small to medium enterprise needs to be prepared to defend and secure their building – and if it is breached – the business should be prepared to deal with those concerned with securing the bigger systems.”

Recent

Beware of potentially malicious referendum spoilers

On the day of the Scottish referendum, Get Safe Online has warned of early results messages.   The organisation warned that the long wait may cause people to lose their security knowledge, as major national or global events which attract widespread interest can also attract the attention of scammers.   It warned on emails, social (…read more)

September 18, 2014

FireEye launch hosted security and threat intelligence services

FireEye has launched two an “as a service” offering to provide an adaptive defence security model to rapidly detect and respond to security incidents as they occur.   According to the company, “FireEye as a Service” allows organisations to tap into FireEye’s team of threat analysts located in security operations centres around the world. Organisations (…read more)

September 17, 2014

eBay plays down XSS story

Online auction website eBay has played down the impact of a page redirect which may have seen user credentials stolen.   According to BBC News, a cross-site scripting (XSS) flaw on the eBay website saw a spoof site set up to look like the online marketplace’s welcome page, complete with a login section.   A (…read more)

September 17, 2014