President Obama with "cyber czar" Howard Schmidt
A reader passed on a really interesting link today, demonstrating that the Department of Defense doesn't want to wait for lawmakers to decide whether or not CISPA will fly. Or perhaps the DoD is worried that CISPA — or something just as bad — won't pass, and is therefore doing what it can to ensure that it can share our private data with government contractors whenever it wants to?
The proposed rule, "Department of Defense – Defense Industrial Base Voluntary Cyber Security and Information Assurance," will "establish a voluntary cyber security information sharing program between DoD and eligible DIB companies. The program enhances and supplements DIB participants' capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems."
Key word there is "transits." It appears as if DoD wants its army of private contractors to be able to share our IP information with the war department.
The rule will go into effect on May 11, 2012. The public has until 7/10/12 to make comments on it, which you can do here.
What would the rule do? The DoD says it would allow defense contractors or other "eligible" companies to "receive [US government] threat information and share information about network intrusions" and "immediately provide a voluntary framework for DoD and DIB companies to share information."
At the "core of the program" is a big government database, the "Defense Cyber Crime Center's DoD-DIB Collaborative Information Sharing Environment." Essentially the new rule lets private corporations submit tips to DoD about people accessing "unclassified" networks.
Does this mean that anyone who searches for information on Lockheed Martin's website will get their IP address shipped over to DoD investigators, if Lockheed feels like shipping it? Possibly. Then what happens?
The DoD analyzes the information reported by the DIB company regarding any such cyber incident, to glean information regarding cyber threats, vulnerabilities, and the development of effective response measures. In addition to this initial reporting and analysis, the DoD and DIB company may pursue, on a voluntary basis, follow-on, more detailed, digital forensics analysis or damage assessments of individual incidents, including sharing of additional electronic media/files or information regarding the incident or the affected systems, networks, or information.
Seems like the Department of Defense doesn't want to deal with pesky Congressional authorization before expanding its "cyber threat" information sharing system with private corporations.
Just a thought: perhaps the Department of Defense wouldn't need to worry so much about its contractors' private cyber systems if it didn't farm out so much intelligence and contracting work to private corporations.
But instead, the corporate "National Security" industry continues to grow, largely in the shadows, where public accountability systems such as FOIA don't apply. At last count, nearly 1.5 million people in this country had a "top secret" security clearance. Not so top secret, is it?
Maybe that's part of the problem, DoD. Just a thought.
Meanwhile, CISPA, which would allow for even broader snooping, is working its way through the Senate. Stay tuned for more information about that, and be ready to speak out on it in the coming weeks.
For more information on lesser-noticed government information sharing systems, click here. h/t @pcvcolin