DOD Cyber Crime Center’s vulnerability disclosure program racking up savings for industrial base
About six months after launching a fully operational vulnerability disclosure program for the defense industrial base, the Defense Department’s Cyber Crime Center estimates that it has potentially saved contractors hundreds of millions of dollars.
Following successful pilot efforts, DC3 announced in April that it was partnering with the Defense Counterintelligence and Security Agency to set up an official program called DIB-VDP that allows independent white-hat hackers to find and analyze vulnerabilities in companies and their systems so they can be addressed with the help of the Pentagon. Participation is free and voluntary for companies.
“Most of the DIB, some 200,000 companies, are small and medium-sized businesses. They are not equipped to defend themselves against advanced adversaries. And so the question becomes, how can we help them defend themselves? What can we provide to them? … And the answer is some form of cybersecurity as a service, usually focused on small to medium-sized companies, again, to provide capabilities that they would not be able to work with themselves,” Terry Kalka, director of the defense industrial base collaborative information sharing environment at DC3, said during remarks at CyberTalks on Wednesday.
“IBM did me a big favor the other month, and they updated their annual assessment of the cost to a company when there’s a data breach. This year, the average cost is $4.88 million. Every time we find a vulnerability, validate it, work with the company to get it fixed and validate the fix, we have blocked an adversarial approach, and we have saved them $4.8 million in response and recovery costs on average,” he said. “We’ve saved the defense industrial base this money, we’ve saved the American economy that money, we’ve saved DoD that money, because the reality is we’re going to pay for cybersecurity one way or another.”
In those terms, the agency has closed out enough vulnerabilities in the first six months of the program to save the DIB a potential $300 million, according to Kalka.
He later told DefenseScoop that roughly 62 vulnerabilities have already been closed out and there are about 160 more currently in the queue for fixes.
“Meanwhile, we’re bringing more companies into the program, finding more vulnerabilities. And so it’s a virtual circle of mitigation,” he said on the sidelines of the conference.
Officials are working to counter a variety of malicious cyber activities.
“Phishing is always a constant threat, but I think we’re seeing phishing more as an interrupter to operations, like part of ransomware. The more prevalent threats in the last year have to do with actual exploitation and exfiltration of data. And what that indicates to me is that phishing is still effective but it’s not necessarily the most effective attack vector anymore. And so we really need to work on closing vulnerabilities, patching systems and through CISA’s leadership, secure by design, because that’s how we’re going to block adversarial attacks,” Kalka told DefenseScoop.
Countries like China, Russia, North Korea and Iran are affecting critical infrastructure, he said.
“We’re seeing threats from all over the world, including domestic IP addresses. And that’s the tricky thing, is that in the immediate incident response, attribution to a nation-state or to a criminal organization is a second- or third-order effort. Our primary focus is: Where did it come from? How do we stop it? How do we figure out what damage might have been done to DOD information? And so, as you know, you can borrow an IP address from just about anywhere. So we see a global range of threats,” Kalka said.
