Pentagon Wants to Secure Dot-Com Domains of Contractors

To better secure unclassified information stored in the computer networks of government contractors, the Defense Department is asking whether the National Security Agency should begin to monitor select corporate dot.com domains, several officials and consultants briefed on the matter said.

Under the proposal, which is being informally circulated throughout the department and the Department of Homeland Security, the NSA could set up equipment to look for patterns of suspicious traffic at the internet service providers that the companies' networks run through. The agency would immediately notify the Pentagon and the companies if pernicious behavior were detected. The Agency would not directly monitor the content of the data streams, only its meta-data. (A Pentagon spokesperson called later to clarify that it would not be legal for the NSA to "monitor" private networks; rather, "DoD and NSA are seeking to provide technical advice, expertise and information to the defense industrial base.")

The proposal originated in the Office of the Secretary of Defense. Because of the sensitivity associated with NSA internet surveillance and capabilities, the fact of the exploratory tasker, as it is known in Pentagon parlance, and details associated with it are being closely held.

The new program would apply to the companies that make up the Defense Industrial Base (DIB)  and only to the parts of those companies that indigenously store and use sensitive information. As the Department reconfigures its network defenses and the internal structure of its information operation, it continues to deal with a large number of aggressive hacker attacks and data penetrations.  Classified information is not supposed to be stored on any dot.mil subdomain that is accessible to outside computer networks.

The dot.mil domain is protected by the newly-stood up U.S. Cyber Command, with assistance from NSA, as are domains that process classified information, but most companies that do business with the Pentagon sit on the public dot.com domain, which is the province of DHS.  DHS uses an architecture known as "Einstein II" to search for malicious data patterns for non-defense government agencies.

"Because of its important partnership with industry, and given that defense contractors have already been targeted for cyber intrusion on their unclassified systems, DoD is concerned about the security of DIB networks," said Lt. Col. René White, a Pentagon spokesperson.  "Therefore, DoD has asked NSA to evaluate under what conditions it might be possible for the government to work with the DIB to better protect national security information and interests in the DIB systems." 

It may not be legal to force companies to submit to NSA monitoring, or even to ask them to voluntarily agree to it, and it might not be politically feasible for companies to accept NSA sensors without disclosing their existence for liability and optical reasons.  At least two companies, AT&T and Verizon, have been approached about the idea, government officials said. Representatives for both companies checked with the Pentagon after receiving inquiries and declined to comment.

Architecturally, it is easier to detect suspicious behavior above the level of the enterprise, which is why the sensors would have to be set up at the ISPs.

If the Defense Department can pitch it to Congress as a small extension of the dot.mil domain to include their private sector partners and no further, it may avoid some of the squeals that would arise from those who would be suspicious of any new monitoring effort by the NSA, which already works with ISPs to gather foreign intelligence information under Foreign Intelligence Surveillance Act rules.

"DoD is in the process of evaluating possible options to better protect the DIB and, with DHS, is talking with Industry partners on a purely voluntary basis," White wrote in an e-mail.  "It is also important to note that DoD and NSA would not intercept or monitor any private computer networks at any level -- we strictly adhere to both the spirit and the letter of U.S. laws and regulations in performing our missions.

" We are working with DHS and the private sector - and leveraging existing collaborative cybersecurity programs with the DIB - to look for appropriate and innovative ways to share our defensive capabilities to protect the DIB," she wrote.

Several major defense contractors declined to comment for this story, citing the sensitivity of the idea and saying that they did not want to alienate the Pentagon by expressing public concern. 

But government officials said that while they could fairly easily make the case in public by giving Congress a sense of how much information is currently lost to hackers or thieves, the private sector would not stand for it.