US Defense Contractors Still Waiting For Breach Notification Rules

An anonymous reader writes US Department of Defense contractors will have to wait until September 24 to see what specific rules they will be required to follow when it comes to the reporting of computer breaches to the DoD. This particular requirement has been mandated by the US Congress last year, in an attempt to get clear view of the type and frequency of attacks contractors face. The US Congress will require "cleared defense contractors" — i.e. those who have been granted clearance by the DoD to access, receive, or store classified information — to effect a rapid report in the wake of a successful breach, and to include in it a description of the technique or method used in the penetration, a sample of the malicious software used (if discovered), and a summary of information created for the Department in connection with any Department program that has been potentially compromised due to such penetration.

Quickly now, tell us about the breach.

[penguinoid]

But not yet, maybe by next month we'll figure out how quickly we want you to tell us.

Re:Quickly now, tell us about the breach.

[easyTree]

One would assume that this would be basic common sense.

Tune in tomorrow when we'll bring the results of the multi-billion dollar, decades-long study on how best to drink a glass of water.

Re:Quickly now, tell us about the breach.

[NoKaOi]

One would assume that this would be basic common sense.

Not really, from the defense contractor's point of view. If they do have a breach, it is in their best interest to cover it up. Without any rules in place, they are not violating any rules. If there are rules in place, then covering it up would be a violation of those rules, so in some cases it would be in their best interest not to cover it up (risk/reward).

Re:Quickly now, tell us about the breach.

[gtall]

Contractor: Hi DoD, we've been breached.
DoD: How did this occur?
Contractor: We don't yet know.
DoD: What's been stolen?
Contractor: We don't yet know.
DoD: What are you going to do about it?
Contractor: We're working on it.
DoD: Damnit, we want instant karma information right NOW!!! Tell us everything you know!!
Contractor: We just did.
DoD: When will you know everything that's happened?
Contractor: We're assessing that, what specifically would you like to know.
DoD: Everything! Damit!
Contractor: What format would you like this information in?
DoD: This is DoD, we want Word documents with a high level overview and a PooperPoint Brief.
Contractor: Okay, but it will cost you.
DoD: Huh?
Contractor: Well, you want us to produce a report and also a brief and then send our Security Team to deliver the brief.
DoD: Okay, we'll need to run that through our Security folks to get the requirements for what we want and then Contracting Services.
Contractor: When will you have that for us?
DoD: We don't know yet.
Contractor: What will you need to know?
DoD: We don't know yet.

Time lapse...

Congressional Aid: Mr. DoD, we hear you are investigating a security breach at XYZ Corporation.
DoD: Yes, that's right.
CA: We'd like you to appear in front of a Senate Select Committee and answer questions, please prepare a brief.
DoD: Okay, what would you like us to address?
CA: Don't know, just tell us everything.
DoD: Okay, but you'll have to wait until XYZ gets back to us on what happened.
CA: When is that?
DoD: We don't know.

Get the picture, Einstein?

Re:Quickly now, tell us about the breach.

One would assume that this would be basic common sense.

Not really, from the defense contractor's point of view. If they do have a breach, it is in their best interest to cover it up. Without any rules in place, they are not violating any rules. If there are rules in place, then covering it up would be a violation of those rules, so in some cases it would be in their best interest not to cover it up (risk/reward).

Yeah, you've never worked in a place with govt security (and especially 'black' programs) if you think 'common sense' applies to this. One place I worked at got shutdown (a few years before I started there, mid 80s) for exactly this - some TS information not properly secured when an auditor came through, they closed the *entire building* (it was 95% "secure"), no work could be done on anything as they had people walking through the entire building looking for unsecured classified info.

After that, you can bet that anything potentially 'problematic' was seen as better swept under the carpet than reported. Good example, 16yrs later I was 'in charge' of the 'internet proxy' - with pretty much zero blocking of stuff other than a list I maintained, I would grep through logs periodically to search for 'inappropriate use' (sex sites, etc) and block them... they were too cheap to pay for real monitoring software (to the tune of $10K+ for our employee count) - and then warn the people involved "don't do that - HR has never asked about it, but if they do it's my job to give it to them" (I wiped the logs every few weeks, luckily - because eventually they did ask and I "only had" 3 weeks of logs). Yup, bunch of people got caught and fired for looking at porn - except one guy (a high up in his church, go figure :rolleyes:) who had a TS/SCI clearance - they knew if they fired *him* it would raise "big red flags" with the government security folks, and launch an audit. He kept his job and it was all 'forgotten'.

They'd lose *big* money if things got shut down for an investigation. And it's not just one project, if they find security problems with 'project-A', and you have projects B,C,D, and E too, they will probably shut all work on those down as well as they investigate.

Rule number 1

Never talk about the fightclub... um i mean, immediately report the breach to DOD!

There is no rule number 2.

I guess they need time to put it in writing in some contract jargon.

We Have a Breach In the Dyke

Somebody, get Dick, to plug van Dyke.

Simple two line answer

[dbIII]

Rootkits from large corporations such as Sony - ignore.
A mentally ill Brit stumbles across some web pages that are publicly available by accident - extradite and jail the bastard!

That seems to be that practice up to this point.

Re:Simple two line answer

[Errol+backfiring]

I thought it was more like:

• You have to disclose everything
• But if you disclose anything, you are hindering secret services who abuse known vulnerabilities. So if you disclose anything, you are a terrorist (TM).

What!?!

Congress was actually able to get something done last year!?!

Oh wait! Upon further review, I see that this is part of the National Defence Spending Authorization Bill...

'Nuff said.

The rules are already out

[kennykb]

You must disclose any breach at least 90 days prior to discovery or 60 days prior to its occurrence, whichever comes first. Any breach occurring without advance notification will be dealt with severely.

You must disclose all breaches on Form 27B/6. The form is secret and you do not have access to it.

Access to your system by any person on the 'no access list' will be considered a breach. The identity of persons on the 'no access list' is secret, and the Government will not inform you of whether any given person is or is not on it.

Knowing of any breach makes a person a 'high risk' individual. 'High risk' individuals shall be added to the 'no access list.'

The Government reserves the right to access your system at any time without notification. Allowing anyone, including the Government, access without advance approval is a security breach.

These rules themselves are secret and you do not have access to them.

Thank you for your cooperation, Citizen.

Re:The rules are already out

[jpvlsmv]

Please report to level D-10 for reassignment as reactor shielding. The computer is your friend.

It's Not That They Need Clarification

[Greyfox]

They just really don't want to do that and are going to stall as long as they can get away with it. Most of them are probably running no form of IDS, have no personnel capable of actually detecting a breach, have no security policy beyond poorly-enforced DOD mandates (Which effectively boils down to "Change your password every 90 days") and really don't want to be distracted from collecting their fat government checks every month by anything resembling actual work.

Re:It's Not That They Need Clarification

They just really don't want to do that and are going to stall as long as they can get away with it. Most of them are probably running no form of IDS, . . .blah blah blah

In other words, you don't know shit, but don't let that stop your little narratives and karma whoring.

Re:It's Not That They Need Clarification

[Greyfox]

I do know sexual tension when I see it. I appreciate you trying to get my attention but if you have the hots for me just come out and say it. I don't swing for the same team, but I'd be happy to take a picture of me with my shirt off so you can have a hot fantasy while staring at my prodigious man boobs.

What if they don't notice?

[penguinoid]

If they don't notice they've been breached, are they still required to go through with the embarrassing and expensive analysis and report of the breach?

Congress is in the Dark, NOT DoD

[laughingskeptic]

Breaches are already reported from the contractor's SSO to the government program office's SSO within 24 hours. Congress' issue is that they don't know what is going on and they decided to meddle in this one particular detail. Contractors absolutely do not attempt to cover this up, getting caught covering something like this up would cause them to immediately loose their funding and the right to bid on future contracts -- effectively a corporate death sentence. SSOs are almost all former soldiers with security backgrounds in the services and operate at the highest levels of integrity. They would absolutely place the country over their employer any day.

Re:Congress is in the Dark, NOT DoD

[PPH]

Breaches are already reported from the contractor's SSO to the government program office's SSO within 24 hours.

If they become aware of them.

Congress' issue is that they don't know what is going on and they decided to meddle in this one particular detail.

Or they have been made aware that some security breaches are not being reported properly up the chain to the DIA. And they want oversight.

Contractors absolutely do not attempt to cover this up, getting caught covering something like this up would cause them to immediately loose their funding and the right to bid on future contracts

Yeah, right. We'd be fighting our next war with pointed sticks.

I've worked at a DoD contractor in the past. Unacknowledged malware infections were rampant. And we had a couple of people running their own software businesses on company time and company equipment. Guess what? Still a DoD contractor.