Some of the biggest cyber risks to the military dont start inside government networks | Federal News Network

Terry Gerton The Pentagon has invested heavily in cyber defenses, but this new effort with DC3 puts partnership with industry at the center of its engagement. Why is right now the right time to expand the partnership agreements?

Terry Kalka The partnership agreements we have with industry are key to an exchange of cyber threat information that is not available from commercial sources. And at a time when we are looking to strengthen the defense of our arsenal of freedom, we are eager to extend this partnership out across the defense industrial base to the maximum extent possible.

Terry Gerton What sort of threats are you seeing, if you can share them in an unclassified way, that motivate this higher concern?

Terry Kalka If you look at what is publicly available and what is impacting industry and critical infrastructure, you will find that the defense industrial base is not exempt from any of those types of things. So whether we're talking about the nation-state threats of our primary competitors, or whether we're looking at ransomware driven by cybercrime actors, the defense industrial base faces the level of threat. And because of where they are in the ecosystem, in some cases they face a very unique set of threats where an adversary is looking for information that perhaps properly belongs to the Department of War, and may not find it within a Department of war environment, but can sort of start to poke and prod through an industrial environment to look for it. Our supply chain is our strength and we need to do everything in our power to help them defend themselves.

Terry Gerton This new announcement opens up the defense Industrial base Cybersecurity Program to new partners, what is actually changing with this new announcement for both companies and for the government, as you think about the sharing of information?

Terry Kalka So there are two things that changed in the last couple of years that I would like to highlight because there was a lot of change with the new administration, a lot of executive orders and a lot of — we needed to take some time to make sure we were properly aligned and following the direction that we've been given. So the program, which actually began in 2008, was initially for cleared defense contractors only. And we built up some momentum. We began with some 16 companies in 2008 and then hit well over the 1,000 mark. And in 2024, there was a change to the federal rule governing the program where we were able to open the program to non-cleared defense contractors. So, having a clearance or a facility clearance is no longer a requirement. And what we are looking for are companies who store or process sensitive, unclassified information, in many cases controlled, un-classified, information, but there are other types of sensitive information they may have, and we're looking to bring them into the fold. So that was announced in 2024. In 2025, we put a strategic pause on new membership while we sorted through the direction the administration was taking in cyber security. So what has effectively happened is we have picked up where we left off. What is new for companies joining now is, first of all, the advantage of joining this trusted partnership. Some of these organizations have been with us for five, 10, 15 years. Some of the actual people have been with us since the beginning of the program, and that's very gratifying to see them returning year after year. I would also say that with a renewed focus on not just the defense of sensitive information, but the continuity of operational activity, we are very interested in helping secure OT systems that are at risk to ensure that critical systems can operate in support of the department.

Terry Gerton How does this collaboration space that DC3 is managing compare or augment some of the collaboration groups that are managed by CISA?

Terry Kalka Excellent question. So in the world of policy, we have 16 critical infrastructure sectors. The Department of War is the sector risk management agency for the DIB. CISA is the sector risk management agency for about half of those others, and then CISA has a central coordinating role. So what this looks like on a day-to-day basis is that information we get that we think needs to be promulgated to the other critical infrastructure sectors, we pass that to CISA. When CISA gets information that is particularly relevant to the DIB, they send that right back to us. So there's an ongoing exchange of information. CISA, by nature of their posture within the ecosystem, they tend to be more focused, first of all, on the federal civilian executive branches, and then the eight or so sectors of critical infrastructure where they have designated authorities and responsibilities. So, I would describe it as a partnership and a partnership of partnerships, where they have partnerships, we're happy to come in and help. Where we have partnerships we're to help make connections.

Terry Gerton Terry Kalka is director of the DOD Defense Industrial Base Collaborative Information Sharing Environment inside the Department of Defense Cybercrime Center. Let's go back to the fact that you've opened up this partnership opportunity now to non-cleared contractors. If a contractor is considering joining, what do they need to know? What are partners required to provide here? What sort of protections do they get if they're participating?

Terry Kalka That's a great question. So the key requirement to join is, do you have a contract with the Department of War and do you process controlled unclassified information or other sensitive information? There is what's called a medium assurance certificate. It is a security certificate that you're actually already required to get. A lot of companies don't have them, but it is in your contract under your DFARs 252-204-7012 clause. And that certificate is what allows us to communicate with you via encrypted email. So a lot of my colleagues in the department don't realize most defense contractors don't have CACs. They don't have the same types of access and authentication capabilities. So these certificates are what allow us to exchange confidential information. The other thing is there's a framework agreement, about eight pages, that essentially defines the terms of the partnership. We will provide the company with government furnished information. They will not share that information beyond the confines of this partnership. Any information they share with us voluntarily we will use to augment cyber defenses in the DIB and the department but we will not attach that information back to the name of the company. So if Terry Kalka, Inc. reports cyber activity. We think, hey, we would like the rest of the DIB to know about this. We will share the technical information and the indicators of compromise. We will conduct analysis on that information to augment and amplify it. We'll pass that information throughout the Department of War so that we can use it for our defenses. But at no point does it say, this info originated with Terry Kalka, Inc., unless you want us to do that. And what that does is it builds an environment of trust, where we have companies who will talk to us about things that they're seeing that they are not necessarily comfortable sharing with other agencies or other entities.

Terry Gerton This seems like a pretty general invitation now for folks to partner with DC3 in this information sharing arrangement. Are there particular contractors you're hoping volunteer or is there a limit to the number of people who can come?

Terry Kalka There isn't a limit. In fact, as long as I have been involved with this program, which is now eight and a half years I have been in some way associated with it — I've been the director for about two and a half years — we've always had the risk/opportunity, what if you wake up one day and 10,000 companies sign up all at once? That's a problem I would love to have. I invite people to bring me that problem. We have standard repeatable processes that we follow. We have measured workflows. We have ways of managing the workload so that we can try to ease the burden when we hit a bottleneck at some point. But we've not hit a limit to the number of companies. We are eager for small and medium businesses to sign on board because we know they don't have necessarily the resources to defend themselves. What you get when you partner with us are a couple of key things. One is cybersecurity defensive information that is 95% unique. You cannot acquire it from another channel. You also get access to, if you wish, a number of cyber services that we offer. I'd like to highlight a couple of those briefly. Our Defense Industrial Base Vulnerability Disclosure Program, we bring in friendly researchers to look at your public infrastructure and look for vulnerabilities. And if they find them, they report them. And then we will work with you to mitigate them and get them patched, hopefully before there's an actual intrusion. We have a capability we call Dice-Cubed. This is analysis of firewall logs. It allows us to find activity. Given just a few indicators, we're able to locate and warn potential and actual victims of malicious activity. And thirdly, you get a collaborative environment. You're able to join us for our Semi-annual technical exchange. It's a conference we run in the National Capital Region. We also go out around the country to do regional partner exchanges. And the ability to have face-to-face communication and conversations around cyber threat provides a level of information and again, trust, that's invaluable and not something you simply get through email exchanges.

Terry Gerton So if we piqued someone's interest out there and they missed the announcement and want to know more, where should they go?

Terry Kalka The fastest place is dc3.mil. The DICE and DIB cybersecurity program is part of a larger effort going on at the DOD Cybercrime Center, also known as DC3. And you can email us for more information at dc3.dcise@us.af.mil