In Defense of Requiring Cyber Threat Reports from Defense Contractors

As we’ve been following the development of (and advocating for) the failed Cyber Security Act of 2012, a similarly worded amendment to the FY 2013 National Defense Authorization Act (NDAA) has been brewing within the Senate. Just as last year’s Cyber Security Act would apply to critical infrastructure and financial institutions, Senator Carl Levin’s Amendment 3195 would require Department of Defense (DoD) contractors to report network breaches.

The proposed amendment hands responsibility to the Under Secretary of Defense for Intelligence to establish a reporting process, but specifies that defense contractors must:

1. include a description of the “technique or method used in the penetration”
2. provide samples of the “malicious software, if discovered and isolated by the contractor”
3. allow DoD access to “equipment or information” to determine if the intruder gained any classified information

Norman AS supports Levin’s amendment, as communication about unauthorized access to confidential information systems is vital to preventing future threats. The more information the Pentagon can collect about a breach, the better it can mitigate its damage. Hackers are aware that contractors are the weakest link of the department, thus easy targets. The amendment’s supporters cite recent examples of costly data capture by Chinese and Russian hackers.

Because businesses are often reluctant to share information with government entities, without such legislation, private contracting companies would be under no obligation to report the theft of government intelligence critical to defending our nation. It’s refreshing to see this potential reversal on the horizon for 2013.

Do you support the NDAA Amendment 3195? Please share your thoughts in the comments.

Image credit: US Department of Defense (via Wikimedia Commons)