Deputizing Companies in Cyber Defense

The bond between American spies and businesses is about to get tighter.

The Obama administration is about to pull US telecommunications companies even deeper into the ongoing cyber conflict with China. 

Foreign Policy reports that in the coming weeks, the National Security Agency, in concert with the Homeland Security Department and the FBI, “will release to select American telecommunication companies a wealth of information about China’s cyber-espionage program.” The idea behind this reportedly classified operation is to give the telecoms more information about how Chinese cyber spies ply their trade, so that American companies can in turn get ahead of the threat and better defend themselves. 

The information the government wil share with the companies includes “sophisticated tools that China uses, countermeasures developed by the NSA, and unique signature-detection software that previously had been used only to protect government networks,” FP reports. 

This marks an escalation in the so-called “public-private partnership” that has existed for a few years now in the ever-expanding cyber battlefield. The government has already been sharing with telecom companies some domain names and Internet addresses associated with suspected spies and hostile actors. The companies  which run and manage the country’s networks, in turn are expected to exercise some level of surveillance and defense, which theoretically redounds to the benefit of their customers. 

This hasn’t really made cyberspace any safer, nor has it significantly reduced cyber espionage and malware attacks against US companies. So now, the government is effectively giving the companies more cyber “ammo,” in the form of richer, and more secretive intelligence, which it has traditionally guarded. In theory, the companies will have greater insight into how spies are trying to crack their networks. 

The timing of this event doesn’t seem coincidental. In February, computer security firm Mandiant released a report naming the Chinese military as a major source of espionage against U.S. companies. I’m told by knowledgable sources that the release of that report was coordinated with the Defense Department and the Homeland Security Department, which just a day earlier released much of the same threat information that’s in the Mandiant report, but without attributing the source to China. Like the new information-sharing program, these are not rhetorical strategies, but rather tactical attempts to push back against cyber spying and give US companies more means to defend themselves. 

The Obama administration has long understood that in order to defend cyberspace, it’s going to have to enlist the cooperation and active participation of US companies. The US government, for all its technical intelligence prowess, simply cannot defend a network infrastructure that is almost entirely owned and operated by the private sector. 

For their part, companies have been itching to get more information and to change the often one-way flow of threat information from the private sector to the government. Companies know they’re networks are threatened, but they often don’t know much about the sources of those intrusions, and what else the intruders are capable of doing. They need a government intelligence agency to obtain that information–mainly through espionage, which companies can’t legally practice on their own. 

Yesterday, the chief information officer for Dow Chemical Company told a Senate panel that he’d like to see more information sharing from the government to industry, and among different sectors of US companies. He’s about to get some of what he asked for. 

To some extent, this information exchange has been happening already. For the past few years, US defense contractors have been sharing threat information with the government and allowing government agencies to monitor their networks, so the intelligence community can gather information about US adversaries, and how they work. 

Now, though, the administration is pushing this cooperation even deeper into the telecom sector, essentially taking the fight down to the level of the network operators. That’s a significant development. Think of this as deputizing some companies in the new cyber war. We’re going to see a lot more of this in the future.