On May 11, 2012, the Department of Defense (DoD) issued an Interim Final Rule expanding an existing voluntary cybersecurity information sharing program between DoD and eligible Defense Industrial Base (DIB) companies (DIB Cyber Pilot), and outlining the eligibility and other operational requirements for participation in the newly expanded program. DoD-Defense Industrial Base (DIB) Voluntary Cyber Security Information Assurance (CS/IA) Activities, 77 Fed. Reg. 27615 (May 11, 2012). The Interim Rule authorizes eligible companies to receive certain threat information in return for sharing information regarding network intrusions that could compromise critical DoD programs and missions. Comments on the Interim Rule are due by July 10, 2012.

The Interim Rule expands the applicable pool of companies eligible to participate in the voluntary CS/IA information sharing program from approximately 37 participants currently participating in the DIB Cyber Pilot, originally launched in June 2011, to approximately 200 participants. To participate in the expanded program, companies must, among other things, enter into a standardized agreement with DoD and meet a number of specific security criteria. Contractors interested in participating should review these eligibility requirements, as well as all policy requirements governing the receipt of information provided by the government, and may apply online athttp://dibnet.dod.mil.

The DIB Cyber Pilot faced scrutiny by Congress earlier this year in response to a study performed by Carnegie Mellon University and commissioned by the Defense Department which examined whether the use of National Security Agency data disclosed to Pilot participants enhanced participants’ ability to detect additional threats.1 The study’s findings were mixed, and observed that the information provided did not dramatically improve detection in light of the already-sophisticated monitoring capabilities of the participating firms.
The Interim Rule also highlights two key issues at the heart of the current legislative debate over cybersecurity legislation: (1) which federal agency is best suited to take a leading role in cybersecurity, and (2) what role public-private information sharing should play in such efforts. The Interim Rule is a DoD-only effort and raises some uncertainty as to the role the Department of Homeland Security (DHS) will play in this and other public-private information sharing initiatives. DHS and DoD issued a privacy impact assessment in January 2012 in which DHS joined DoD’s existing efforts and established the Joint Cybersecurity Services Pilot (JCSP) through which DHS — through the National Cyber Security Division (NCSD) U.S. Computer Emergency Readiness Team (US-CERT) — sought to build upon existing DIBs Pilot Activities by allowing DHS to assume responsibility over any Internet Service Providers (ISPs) currently participating in the DIB Pilot. Although the DoD press release announcing the Interim Rule expressed pleasure with DHS’s participation in the program, the Interim Rule is silent on the possibility of DHS expansion of the program outside of the DIB, and states that DoD is the agency responsible for critical infrastructure protection within the Defense Industrial Base under Homeland Security Presidential Directive 7 (HSPD-7). 77 Fed. Reg. at 27616.

Cyber Update from McKenna, Long & Aldridge. Please contact the following for more information:
Richard B. Oliver
213.243.6169

Agustin D. Orozco
213.243.6152