US defense contractors still waiting for breach notification rules
US Department of Defense contractors will have to wait until September 24 to see what specific rules they will be required to follow when it comes to the reporting of computer breaches to the DoD.
This particular requirement has been mandated by the US Congress last year, in an attempt to get clear view of the type and frequency of attacks contractors face.
The US Congress will require “cleared defense contractors” – i.e. those who have been granted clearance by the DoD to access, receive, or store classified information – to effect a rapid report in the wake of a successful breach, and to include in it a description of the technique or method used in the penetration, a sample of the malicious software used (if discovered), and a summary of information created for the Department in connection with any Department program that has been potentially compromised due to such penetration.
The March 2011 RSA hack is believed to have been executed in order to compromise the company’s SecurID tokens, widely used by a great number of companies that do business with the government.
As the companies are waiting for the rules to be punished, they expressed their worry about government agents being allowed to access to their networks so that they can conduct forensic analysis of the attack (in addition to the analysis conducted by the contractor). They are not to happy about the possibility of the Pentagon having access to their trade secrets, commercial, financial, and customer information.
Contractors are also eager to see whether the Pentagon will return the favor and share threat information it has with the firms, so that they can be better prepared to fend off attacks.
Smaller firms are worried that complying to some of the rules might be too costly and impossible for them, which would ultimately make it impossible to keep and gain new government contracts.
What the contractors are really hoping for is some “clear guidance on how to implement whatever requirements the government is looking to put into place,” Daniel Stohr, director of communications for the Aerospace Industries Association, said to Bloomberg’s Chris Strohm.
“We don’t want contracting officers giving their personal interpretation of what this rule would or should be,” he noted.