Symantec joins DOD threat-sharing group

Cybersecurity firm Symantec has joined a Department of Defense information-sharing program designed to spot threats targeting the defense contracting base.

The company announced April 22 that it was joining the Defense Industrial Base Cybersecurity Program, a voluntary public-private information-sharing program that provides participants with classified and unclassified information as well as best practices around information assurance. It aims to facilitate better situational awareness about IT security threats to unclassified contractor networks and information systems.

The addition of Symantec, which already has a robust threat intelligence network in place, could help bolster the quality and sophistication of the information that flows through the program. Symantec claims data for its Global Intelligence Network is culled from 175 million protected endpoints and 123 million attack sensors that collect cyber threat telemetry vectors worldwide.

In order to qualify for the DOD program, a company must be a cleared contractor with the ability to view and handle classified information at the Secret level or higher.

Chris Townsend, the company’s vice president of federal, said “Symantec is proud to become a member of this important community” in a statement.

The program is just one of a growing number of tools meant to address cybersecurity gaps in the defense contractor space. Military leaders have become increasingly concerned about the impact of compromised hardware or software on weapons and information systems, whether through bugs and other software vulnerabilities or sabotage in the technology supply chain. In both areas, contractors have come under increasing scrutiny as a potential avenue for nation-states to exploit.

Growing awareness of the threat, along with concerns that elements of the defense contracting base are weak links in the government's cybersecurity chain, has led DOD officials and policymakers in Congress to experiment with a range of potential solutions.

A Senate Armed Services committee hearing on cybersecurity threats to the defense industrial base last month drew exasperated responses from a number of senators frustrated that the U.S. was seemingly prioritizing contractor profits and convenience over national security. Ranking member Joe Manchin (D-W.Va.) said, "We've got to be the stupidest people in the world to let this happen," and suggested that the committee and Congress may need to update federal contracting and procurement rules.

Recently, Secretary of the Navy Richard Spencer told the House Armed Services Committee that tightening up contractor security practices was one of the branch's top priorities in 2020. He urged lawmakers to pass legislation that would add a new assistant secretary for cybersecurity position that would focus on the defense industrial base.

Earlier this year, DOD CIO Dana Deasy floated the possibility that the department could move away from the current model of contractors self-certifying their compliance with National Institute of Standards and Technology cybersecurity guidelines and instead empower a third-party organization leveraging machine learning to examine and audit contractors' security posture.