The Department of Homeland Security added contracting giant Lockheed Martin to its list of commercial providers authorized to sell services using cyber threat information — both classified and not — collected by the government. Whether that will inspire businesses to sign on remains to be seen.
Lockheed joins the telecoms AT&T, CenturyLink and Verizon, which have been on the list since DHS launched the Enhanced Cybersecurity Services (ECS) program two years ago.
Will the addition of the non-telecom Lockheed draw more attention to the program, or will ECS continue to go unprioritized, lost in the myriad of other cybersecurity options available to those in private sector?
"Lockheed might put ECS over the hump so it finally makes sense to people," said Howard Schmidt, former White House cyber czar under presidents Bush and Obama, and the new chairman of the U.S. Chamber of Commerce's Cybersecurity Leadership Council.
ECS was initially launched in 2011 as the Defense Industrial Base Cyber Pilot, which involved fewer than a dozen defense contractors testing ways for the government to share attack signatures for identifying threats to defense contractors' networks. It expanded, then in 2012 DHS assumed an active role and it became governmentwide. Soon after, it was opened up to the private sector.
"Typically, people in the private sector have had to wait till information about threats comes out in the news, and by then it's too late," Schmidt said. "This type of info sharing is really a way of doing business we should have been doing since 2001."
Lockheed brings a more comprehensive approach than others on the provider list, said Richard Mahler, Lockheed's director of commercial cyber solutions, "not just alerting companies to a threat, but analyzing the threat and telling them what they can do about it."
But some argue that any cybersecurity effort originating in the government will never have big uptake in the private sector, which regard federal efforts — particularly those led by DHS — as behind those already underway in industry.
"If you ask CISOs what are the top three things on their wish list for getting their companies more secure, this is not among them," said John Pescatore, director of emerging security trends at SANS Institute and a former systems designer for the National Security Agency and the U.S. Secret Service. "It's not a high potential area other than it keeps politicians busy."
When asked how ECS adoption has gone thus far, DHS did not offer statistics. But Pescatore put it like this: "Three times a week, 50 signatures of bug threats come out from DHS in this program, but among the huge world of those in the private sector tracking threats, there are thousands per week. More good data is always better than less, but there is no lack of this information."
That said, the program does appear to be poised for growth. DHS has signed memoranda of agreement with several other companies at various stages in the accreditation process to become commercial service providers or operational implementers, the latter of which use ECS services for self-protection only.
Said Schmidt, the concept of the ECS may soon begin to appeal to medium and small businesses, many of which do not have access to the latest and greatest cybersecurity offerings put out by large commercial companies.
"In small companies, the IT person might also be the employee who gets the coffee at Costco and takes out the rubbish at the end of the day," Schmidt said. "They really need the ability to use good resources like this."