The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns New zero-day used for effective kernel memory injection and stealth

Earlier this year, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several of our internal systems.

Following this finding, we launched a large scale investigation, which led to the discovery of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu. The Duqu threat actor went dark in 2012 and was believed to have stopped working on this project – until now. Our technical analysis indicates the new round of attacks include an updated version of the infamous 2011 Duqu malware, sometimes referred to as the stepbrother of Stuxnet. We named this new malware and its associated platform “Duqu 2.0”.

Some of the new 2014-2015 Duqu infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks. In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau.

In the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time. The analysis of the attack revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected. More details can be found in our technical paper.

From a threat actor point of view, the decision to target a world-class security company must be quite difficult. On one hand, it almost surely means the attack will be exposed – it’s very unlikely that the attack will go unnoticed. So the targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost.

At Kaspersky Lab, we strongly believe in transparency, which is why we are going public with this information. Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services.

By GReAT on June 10, 2015. 12:00 pm

Find this story at 10 June 2015

© 2015 AO Kaspersky Lab.

Israel’s secret intel unit spawns high-tech tycoons

TEL AVIV, Israel, Sept. 9 (UPI) — The Israeli military’s top-secret Unit 8200, the Jewish state’s equivalent of the U.S. National Security Agency, has spawned a generation of high-tech start-ups and more technology millionaires than many business schools, and these days the cyber security sector is booming.

Unit 8200 is now the Israeli military’s biggest branch in manpower terms. It has grown swiftly in recent years as cyberwarfare has become one of the major security threats to military organizations and industrialized states whose vital infrastructure is vulnerable to cyberattack.

But Unit 8200 remains the most secretive of Israel’s military units. Even the name of its commander is a state secret, as is its annual budget .

It has a major, highly secure base in the Negev Desert south of Tel Aviv. But little is known about its work in what’s known as signals intelligence, intercepting and analyzing other forces’ communications and data traffic from mobile phones chatter and emails to flight paths and electronic signals.

Unlike other branches of the Israeli military, virtually all its research and development is conducted in-house by its huge cadre of engineers, programmers and technicians.

Unit 8200 headhunts the brightest students from high schools and colleges, and there seems to be no shortage of volunteers.

So it’s no surprise that many veterans of Unit 8200 — invariably known as “eight-two hundred” — have been behind a host of successful high-tech start-ups in the commercial sector after they leave the service.

These enterprises provide a unique contribution to Israel’s high-tech sector, widely recognized as one of the most advanced in the world.

The country’s high-tech exports total an estimated $25 billion a year, a quarter of Israel’s exports.

The high-tech sector currently boasts 5,000 companies that employ 230,000 people and earn

Recent Israeli success in the field include the Zisapel brothers, Yehuda and Zonhar, who sold and floated a dozen companies for hundreds of millions of dollars; and Yair Cohen, a former brigadier general who once commanded Unit 8200, who heads the intelligence cyberdivision of Elbit Systems, a major defense company.

Then there’s Aharon Zeevi Farkash, another former Unit 8200 chief, founder and chief executive of FST21, which employs a mix of technologies, combining hardware and software to suit specific needs that are in the hands of young men and women hardly out of their teens.

Yossi Vardi, who founded Israel’s first software company in 1969, says “more high-tech millionaires have been created from 8200 than from any business school in the country.”

Israeli tech firms like Nice, Converse and Check Point were all set up by Unit 8200 alumni or based on technology developed by the unit which cyber insiders say is in some cases decades ahead of the U.S. and Europe

A measure of these companies’ success is that many are bought out by the titans of the field.

IBM announced in August that it’s buying Trusteer, a privately owned Israeli cloud-based cybersecurity software provider whose customers include many of the largest banks in the United States and Britain.

The terms of the deal have not been disclosed. But the Financial Times reported that IBM, which will form a cybersecurity software laboratory in Israel with more than 200 researchers from both companies, is believed to be forking up $800 million-$1 billion for Trusteer.

The Israeli outfit says its equipment can identify security threats that escape more traditional security software.

Trusteer software is designed to help ensure that bank customers can safely transfer funds on mobile devices by detecting malware that can infect a smartphone, allowing the bank to prevent fraudulent transactions taking place.

“The way organizations protect data are quickly evolving,” observed Trusteer’s chief executive, Mickey Boodaei, who founded the firm in 2006.

“As attacks become more sophisticated, traditional approaches to securing enterprise and mobile data are no longer valid.”

Unit 8200’s success as an incubator for Israel’s high-tech venture is likely to grow since under the military’s new strategic plan it’s downsizing conventional land, sea and air forces to meet the challenges of a new era of warfare with more agile, technology-oriented forces.

Farkash says 8200’s alumni are so successful because its organizational ethos encourages out-of-the-box thinking.

“We’re very tolerant of mistakes,” he explains. “It’s impossible to be creative when fear leads you.”

Published: Sept. 9, 2013 at 11:51 AM
TEL AVIV, Israel, Sept. 9 (UPI) —

Find this story at 9 September 2013

© 2013 United Press International, Inc. All Rights Reserved.

SPYING ON AMERICANS: Obama’s Backdoor “Cybersecurity” Wiretap Bill Threatens Political and Private Rights; Spying on Social Media

Under the guise of “cybersecurity,” the new all-purpose bogeyman to increase the secret state’s already-formidable reach, the Obama administration and their congressional allies are crafting legislation that will open new backdoors for even more intrusive government surveillance: portals into our lives that will never be shut.

As Antifascist Calling has frequently warned, with the endless “War on Terror” as a backdrop the federal government, most notably the 16 agencies that comprise the so-called “Intelligence Community” (IC), have been constructing vast centralized databases that scoop-up and store all things digital–from financial and medical records to the totality of our electronic communications online–and do so without benefit of a warrant or probable cause.

The shredding of constitutional protections afforded by the Fourth Amendment, granted to the Executive Branch by congressional passage of the Authorization for Use of Military Force (AUMF) after the 9/11 attacks, followed shortly thereafter by the oxymoronic USA Patriot Act set the stage for today’s depredations.

Under provisions of multiple bills under consideration by the House and Senate, federal officials will be given broad authority over private networks that will almost certainly hand security officials wide latitude over what is euphemistically called “information-sharing” amongst corporate and government securocrats.

As The Washington Post reported in February, the National Security Agency “has pushed repeatedly over the past year to expand its role in protecting private-sector computer networks from cyberattacks” but has allegedly “been rebuffed by the White House, largely because of privacy concerns.”

“The most contentious issue,” Post reporter Ellen Nakashima wrote, “was a legislative proposal last year that would have required hundreds of companies that provide such critical services as electricity generation to allow their Internet traffic to be continuously scanned using computer threat data provided by the spy agency. The companies would have been expected to turn over evidence of potential cyberattacks to the government.”

Both the White House and Justice Department have argued, according to the Post, that the “proposal would permit unprecedented government monitoring of routine civilian Internet activity.”

National Security Agency chief General Keith Alexander, the dual-hatted commander of NSA and U.S. Cyber Command (USCYBERCOM), the Pentagon satrapy that wages offensive cyberwar, was warned to “restrain his public comments after speeches in which he argued that more expansive legal authority was necessary to defend the nation against cyberattacks.”

While we can take White House “objections” with a proverbial grain of salt, they do reveal however that NSA, the largest and most well-funded of the secret state’s intel shops will use their formidable surveillance assets to increase their power while undermining civilian control over the military in cahoots with shadowy security corporations who do their bidding. (Readers are well-advised to peruse The Surveillance Catalog posted by The Wall Street Journal as part of their excellent What They Know series for insight into the burgeoning Surveillance-Industrial Complex).

As investigative journalist James Bamford pointed out recently in Wired Magazine, “the exponential growth in the amount of intelligence data being produced every day by the eavesdropping sensors of the NSA and other intelligence agencies” is “truly staggering.”

In a follow-up piece for Wired, Bamford informed us that when questioned by Congress, Alexander stonewalled a congressional subcommittee when asked whether NSA “has the capability of monitoring the communications of Americans, he never denies it–he simply says, time and again, that NSA can’t do it ‘in the United States.’ In other words it can monitor those communications from satellites in space, undersea cables, or from one of its partner countries, such as Canada or Britain, all of which it has done in the past.”

Call it Echelon on steroids, the massive, secret surveillance program first exposed by journalists Duncan Campbell and Nicky Hager.

And with the eavesdropping agency angling for increased authority to monitor the electronic communications of Americans, the latest front in the secret state’s ongoing war against privacy is “cybersecurity” and “infrastructure protection.”

‘Information Sharing’ or Blanket Surveillance?

Among the four bills currently competing for attention, the most egregious threat to civil liberties is the Cyber Intelligence Sharing and Protection Act of 2011 (CISPA, H.R. 3523).

Introduced by Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD), the bill amends the National Security Act of 1947, adding language concerning so-called “cyber threat intelligence and information sharing.”

“Cyber threat intelligence” is described as “information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from: (1) efforts to degrade, disrupt, or destroy such system or network; or (2) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.”

In keeping with other “openness” mandates of our Transparency Administration™ the Rogers bill will require the Director of National Intelligence (DNI) to establish procedures that permit IC elements to “share cyber threat intelligence with private-sector entities, and (2) encourage the sharing of such intelligence.”

These measures however, will not protect the public at large from attacks by groups of organized cyber criminals since such intelligence is only “shared with certified entities or a person with an appropriate security clearance,” gatekeepers empowered by the state who ensure that access to information is “consistent with the need to protect U.S. national security, and used in a manner that protects such intelligence from unauthorized disclosure.”

In other words, should “cleared” cyber spooks be directed by their corporate or government masters to install state-approved malware on private networks as we discovered last year as a result of the HBGary hack by Anonymous, it would be a crime punishable by years in a federal gulag if official lawbreaking were disclosed.

The bill authorizes “a cybersecurity provider (a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes),” i.e., an outsourced contractor from any one of thousands of spooky “cybersecurity” firms, to use “cybersecurity systems to identify and obtain cyber threat information in order to protect the rights and property of the protected entity; and share cyber threat information with any other entity designated by the protected entity, including the federal government.”

Furthermore, the legislation aims to regulate “the use and protection of shared information, including prohibiting the use of such information to gain a competitive advantage and, if shared with the federal government, exempts such information from public disclosure.”

And should the public object to the government or private entities trolling through their personal data in the interest of “keeping us safe” well, there’s an app for that too! The bill “prohibits a civil or criminal cause of action against a protected entity, a self-protected entity (an entity that provides goods or services for cybersecurity purposes to itself), or a cybersecurity provider acting in good faith under the above circumstances.”

One no longer need wait until constitutional violations are uncovered, the Rogers bill comes with a get-out-of-jail-free card already in place for state-approved scofflaws.

Additionally, the bill also “preempts any state statute that restricts or otherwise regulates an activity authorized by the Act.” In other words, in states like California where residents have “an inalienable right to privacy” under Article 1, Section 1 of the State Constitution, the Rogers bill would be abolish that right and effectively “legalize” unaccountable snooping by the federal government or other “self-protected,” i.e., private entities deputized to do so by the secret state.

Social Media Spying

How would this play out in the real world? As Government Computer News reported, hyped-up threats of an impending “cyber-armageddon” have spawned a host of new actors constellating America’s Surveillance-Industrial Complex: the social media analyst.

“Companies and government agencies alike are using tools to sweep the Internet–blogs, websites, and social media such as Facebook and Twitter feeds–to find out what people are saying about, well, just about anything.”

Indeed, as researchers Jerry Brito and Tate Watkins pointed out last year in Loving the Cyber Bomb?, “An industrial complex reminiscent of the Cold War’s may be emerging in cybersecurity today.”

Brito and Watkins averred that “the military-industrial complex was born out of exaggerated Soviet threats, a defense industry closely allied with the military and Department of Defense, and politicians striving to bring pork and jobs home to constituents. A similar cyber-industrial complex may be emerging today, and its players call for government involvement that may be superfluous and definitely allows for rent seeking and pork barreling.”

Enter social media analysis and the private firms out to make a buck–at our expense.

“Not surprisingly,” GCN’s Patrick Marshall wrote, “intelligence agencies have already been looking at social media as a source of information. The Homeland Security Department has been analyzing traffic on social networks for at least the past three years.”

While DHS claims it does not routinely monitor Facebook or Twitter, and only responds when it receives a “tip,” such assertions are demonstrably false.

Ginger McCall, the director of the Electronic Electronic Privacy Information Center’s Open Government Program told GCN that the department is “explicitly monitoring for criticism of the government, for reports that reflect adversely on the agency, for public reaction to policy proposals.”

But DHS isn’t the only agency monitoring social media sites such as Facebook and Google+.

As Antifascist Calling reported back in 2009, according to New Scientist the National Security Agency “is funding research into the mass harvesting of the information that people post about themselves on social networks.”

Not to be outdone, the CIA’s venture capital investment arm, In-Q-Tel, has poured millions of dollars into Visible Technologies, a Bellevue, Washington-based firm specializing in “integrated marketing, social servicing, digital experience management, and consumer intelligence.”

According to In-Q-Tel “Visible Technologies has developed TruCast®, which takes an innovative and holistic approach to social media management. TruCast has been architected as an enterprise-level solution that provides the ability to track, analyze, and respond to social media from a single, Web-based platform.”

Along similar lines, the CIA has heavily invested in Recorded Future, a firm which “extracts time and event information from the web. The company offers users new ways to analyze the past, present, and the predicted future.”

The firm’s defense and intelligence analytics division promises to “help analysts understand trends in big data, and foresee what may happen in the future. Groundbreaking algorithms extract temporal and predictive signals from unstructured text. Recorded Future organizes this information, delineates results over interactive timelines, visualizes past trends, and maps future events–all while providing traceability back to sources. From OSINT to classified data, Recorded Future offers innovative, massively scalable solutions.”

As Government Computer News pointed out, in January the FBI “put out a request for vendors to provide information about available technologies for monitoring and analyzing social media.” Accordingly, the Bureau is seeking the ability to:

• Detect specific, credible threats or monitor adversarial situations.

• Geospatially locate bad actors or groups and analyze their movements, vulnerabilities, limitations, and possible adverse actions.

• Predict likely developments in the situation or future actions taken by bad actors (by conducting trend, pattern, association, and timeline analysis).

• Detect instances of deception in intent or action by bad actors for the explicit purpose of misleading law enforcement.

• Develop domain assessments for the area of interest (more so for routine scenarios and special events).

So much for privacy in our Orwellian New World Order!

Backdoor Official Secrets Act

Social media “harvesting” by private firms hot-wired into the state’s Surveillance-Industrial Complex will be protected from challenges under provisions of CISPA.

As the Electronic Frontier Foundation (EFF) pointed out, “a company that protects itself or other companies against ‘cybersecurity threats’ can ‘use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property’ of the company under threat. But because ‘us[ing] cybersecurity systems’ is incredibly vague, it could be interpreted to mean monitoring email, filtering content, or even blocking access to sites. A company acting on a ‘cybersecurity threat’ would be able to bypass all existing laws, including laws prohibiting telcos from routinely monitoring communications, so long as it acted in ‘good faith’.”

And as EFF’s Rainey Reitman and Lee Tien aver, the “broad language” concerning what constitutes a cybersecurity “threat,” is an invitation for the secret state and their private “partners” to include “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.”

“Yes,” Reitman and Tien wrote, “intellectual property. It’s a little piece of SOPA wrapped up in a bill that’s supposedly designed to facilitate detection of and defense against cybersecurity threats. The language is so vague that an ISP could use it to monitor communications of subscribers for potential infringement of intellectual property. An ISP could even interpret this bill as allowing them to block accounts believed to be infringing, block access to websites like The Pirate Bay believed to carry infringing content, or take other measures provided they claimed it was motivated by cybersecurity concerns.”

More troubling, “the government and Internet companies could use this language to block sites like WikiLeaks and NewYorkTimes.com, both of which have published classified information.”

Should CISPA pass muster it could serve as the basis for establishing an American “Official Secrets Act.” In the United Kingdom, the Act has been used against whistleblowers to prohibit disclosure of government crimes. But it does more than that. The state can also issue restrictive “D-Notices” that “advise” editors not to publish material on subjects deemed sensitive to the “national security.”

EFF warns that “online publishers like WikiLeaks are currently afforded protection under the First Amendment; receiving and publishing classified documents from a whistleblower is a common journalistic practice. While there’s uncertainty about whether the Espionage Act could be brought to bear against WikiLeaks, it is difficult to imagine a situation where the Espionage Act would apply to WikiLeaks without equally applying to the New York Times, the Washington Post, and in fact everyone who reads about the cablegate releases.”

And with the Obama regime’s crusade to prosecute and punish whistleblowers, as the recent indictment of former CIA officer John Kiriakou for alleged violations of the Espionage Act and the Intelligence Identities Protection Act for disclosing information on the CIA’s torture programs, we have yet another sterling example of administration “transparency”! While Kiriakou faces 30 years in prison, the former head of the CIA’s Directorate of Operations, Jose A. Rodriguez Jr., who was responsible for the destruction of 92 torture videotapes held by the Agency, was not charged by the government and was given a free pass by the Justice Department.

As the World Socialist Web Site points out: “More fundamentally, the prosecution of Kiriakou is part of a policy of state secrecy and repression that pervades the US government under Obama, who came into office promising ‘the most transparent administration in history.’”

Critic Bill Van Auken observed that Kiriakou’s prosecution “marks the sixth government whistleblower to be charged by the Obama administration under the Espionage Act, twice as many such prosecutions as have been brought by all preceding administrations combined. Prominent among them is Private Bradley Manning, who is alleged to have leaked documents exposing US war crimes to WikiLeaks. He has been held under conditions tantamount to torture and faces a possible death penalty.”

“In all of these cases,” the World Socialist Web Site noted, “the World War I-era Espionage Act is being used to punish not spying on behalf of a foreign government, but exposing the US government’s own crimes to the American people. The utter lawlessness of US foreign policy goes hand in hand with the collapse of democracy at home.”

The current crop of “cybersecurity” bills are sure to hasten that collapse.

Under Rogers’ legislation, “the government would have new, powerful tools to go after WikiLeaks,” or anyone else who challenges the lies of the U.S. government by publishing classified information that contradicts the dominant narrative.

By Tom Burghardt
Global Research, April 10, 2012

Find this story at 10 April 2013

Copyright © 2005-2013 GlobalResearch.ca

Cyber Corps program trains spies for the digital age At the University of Tulsa school, students learn to write computer viruses, hack digital networks and mine data from broken cellphones. Many graduates head to the CIA or NSA.

TULSA, Okla. — Jim Thavisay is secretly stalking one of his classmates. And one of them is spying on him.

“I have an idea who it is, but I’m not 100% sure yet,” said Thavisay, a 25-year-old former casino blackjack dealer.

Stalking is part of the curriculum in the Cyber Corps, an unusual two-year program at the University of Tulsa that teaches students how to spy in cyberspace, the latest frontier in espionage.

Students learn not only how to rifle through trash, sneak a tracking device on cars and plant false information on Facebook. They also are taught to write computer viruses, hack digital networks, crack passwords, plant listening devices and mine data from broken cellphones and flash drives.

It may sound like a Jason Bourne movie, but the little-known program has funneled most of its graduates to the CIA and the Pentagon’s National Security Agency, which conducts America’s digital spying. Other graduates have taken positions with the FBI, NASA and the Department of Homeland Security.

The need for stronger cyber-defense — and offense — was highlighted when Defense Secretary Leon E. Panetta warned in an Oct. 11 speech that a “a cyber-terrorist attack could paralyze the nation,” and that America needs experts to tackle the growing threat.

“An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals,” Panetta said. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”

Panetta said the Pentagon spends more than $3 billion annually for cyber-security. “Our most important investment is in skilled cyber-warriors needed to conduct operations in cyberspace,” he said.

That’s music to the ears of Sujeet Shenoi, a naturalized citizen from India who founded the cyber program in 1998. He says 85% of the 260 graduates since 2003 have gone to the NSA, which students call “the fraternity,” or the CIA, which they call “the sorority.”

Shenoi subjects his students to both classroom theory and practical field work. Each student is assigned to a Tulsa police crime lab on campus and uses digital skills to help uncover evidence — most commonly child pornography images — from seized devices. Several students have posed as children online to lure predators. In 2003, students helped solve a triple homicide by cracking an email account linking the perpetrator to his victims.

“I throw them into the deep end,” Shenoi said. “And they become fearless.”

The Secret Service has also tapped the Cyber Corps. Working from a facility on campus, students help agents remove evidence from damaged cellphones, GPS units and other devices.

“Working alongside U.S. Secret Service agents, Tulsa Cyber Corps students have developed techniques for extracting evidence from burned or shattered cellphones,” Hugh Dunleavy, who heads the Secret Service criminal division, said in a written statement. More than 5,000 devices have been examined at the facility, he added.

In 2007, California’s secretary of state, Debra Bowen, hired the University of California to test the security of three electronic voting systems used in the state, and Shenoi and several students joined one of the “red” teams assigned to try to hack the voting machines. They succeeded. One of the students, who now works at the NSA, showed that someone could use an off-the-shelf device with Bluetooth connectivity to change all the votes in a given machine, Shenoi said.

“All our results were provided to the companies so they could fix the machines to the extent possible,” Shenoi said.

In May, the NSA named Tulsa as one of four national centers of academic excellence in cyber-operations. The others were Northeastern University in Boston, Naval Postgraduate School in Monterey, Calif., and Dakota State University in Madison, S.D.

“Tulsa students show up to NSA with a lot of highly relevant hands-on experience,” said Neal Ziring, a senior NSA official who visited the school recently to consult about the curriculum and to interview students for jobs and internships. “There are very few schools that are like Tulsa in terms of having participation with law enforcement, with industry, with government.”

Shenoi’s students have ranged in age from 17 to 63. Many are retired from the military, or otherwise starting second careers. They are usually working toward degrees in computer science, engineering, law or business. About two-thirds get a cyber-operations certification on their diplomas, or what Shenoi calls a “cyber-ninja” designation “because they have to be super techie.”

To be accepted into the corps, applicants must be U.S. citizens with the ability to obtain a security clearance of “top secret” or higher. But not all of them spend their careers in government.

One former student, Philip McAllister, worked after graduation at the Naval Research Laboratory, which does scientific research and development for the Navy and Marines. He later moved to San Francisco and worked at several startup companies before he joined Instagram, which developed a photo-sharing mobile application, early this year. Facebook purchased Instagram, which had only 13 employees, for $1 billion three months later.

“Sujeet gets incredibly talented people,” said Richard “Dickie” George, who retired last year after a three-decade career at the NSA.

November 22, 2012|By Ken Dilanian, Washington Bureau

Find this story at 22 November 2012

ken.dilanian@latimes.com

Copyright 2012 Los Angeles Times

Pentagon to expand cybersecurity program for defense contractors

The Pentagon is expanding and making permanent a trial program that teams the government with Internet service providers to protect defense firms’ computer networks against data theft by foreign adversaries.

It is part of a larger effort to broaden the sharing of classified and unclassified cyberthreat data between the government and industry in what Defense Department officials say is a promising collaboration between the public and private sectors.

“The expansion of voluntary information sharing between the department and the defense industrial base represents an important step forward in our ability to stay current with emerging cyberthreats,” Ashton B. Carter, deputy secretary of defense, said in announcing the move Friday.

Carter said that industry’s increased reliance on the Internet for daily business has exposed large amounts of sensitive information held on network servers to the risk of digital theft. Corporate cyber-espionage has reached epidemic scale, experts and officials say, with much of the activity traced to China and Russia.

Begun a year ago, the Defense Industrial Base enhanced pilot program included 17 companies that volunteered to have commercial carriers such as Verizon and AT&T scan e-mail traffic entering their networks for malicious software. Outgoing traffic that shows signs of being redirected to illegitimate sites is blocked so that it does not fall into an adversary’s hands.

A study in November by Carnegie Mellon University said that the pilot program showed the public-private model could work but that initial results on the efficacy of the National Security Agency measures were mixed, with the most value going to companies with less mature network defenses.

The report also said companies reported large numbers of false positives in detecting traffic to illegitimate sites. That flaw largely has been fixed, officials said.

One telecom industry official familiar with the program said he thought the results were better than reflected in the report. “There are a lot of opportunities for improving,” said the official, who was not authorized to speak on the record. For instance, the official said, “the longer it takes NSA to provide the data” to the carriers, the less useful the program will be. Overall, the official said, “we think it was a successful model.”

U.S. officials said that after initial difficulties, the program has become more effective, so much so that senior officials agreed at a White House meeting Thursday to expand it and make it permanent.

“It’s the best example of information sharing that helps in an operational way,” said Eric Rosenbach, deputy assistant secretary of defense for cyber-policy. “We haven’t heard of any other country that’s doing anything like this — a really collaborative relationship between government and private sector.”

Rosenbach acknowledged that the program was not perfect. “We’re definitely not claiming this is the silver bullet when it comes to cybersecurity for the defense firms,” he said. “It is an additional tool they can use to mitigate some of the risk of attacks.”

The carriers are using classified threat data or indicators provided by the NSA to screen the traffic, as well as unclassified threat data provided by the Department of Homeland Security. DHS reviews all the screening data before it goes to the carriers.

The companies may turn over results of the screening to the government. The data would go to DHS and could be shared with agencies such as the NSA and FBI, but with strict privacy protections, officials said.

Rosenbach said that although the NSA should get feedback on how effective its measures are, the agency does not deal directly with the carriers or companies. And, he said, no information that can identify a person is shared with the government.

Still, privacy concerns are high, especially as Congress considers legislation to foster a broader exchange of cyberthreat data between the government and industry.

“Having the NSA provide classified cyberattack signatures to network operators to help them protect their networks . . . is far preferable to having the NSA scan private networks for those signatures,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology. “However, the flow of information back to the government raises significant privacy concerns in the program and in the pending cybersecurity legislation.”

The cybersecurity program will remain voluntary, officials said. As of December, companies have had to pay their Internet carrier for the service. It is unclear how many of the roughly 8,000 eligible defense contractors will sign up.

Find this story at

 

By Ellen Nakashima, Published: May 11

© The Washington Post Company