DOD Cyber ​​Crime Center's Vulnerability Disclosure Program Brings Savings to Industry

About six months after launching a fully-functional vulnerability disclosure program for the defense industry, the Defense Department's Cyber ​​Crime Center estimates it may have saved contractors hundreds of millions of dollars.

After successful pilot tests, DC3 announced in April that it was working with the Defense Counterintelligence and Security Agency to establish a formal program called DIB-VDP that enables independent white-hat hackers to find and exploit vulnerabilities in companies and their systems analyze so that they can be addressed with the help of the Pentagon. Participation is free and voluntary for companies.

“The majority of the DIB, around 200,000 companies, are small and medium-sized companies. They are unable to defend themselves against advanced opponents. And so the question becomes: How can we help them defend themselves? What can we offer them? …And the answer is a form of cybersecurity as a service, typically aimed at small and medium-sized businesses to provide capabilities that they couldn't work with themselves,” Terry Kalka, director of the Defense Industrial Base Collaborative Information Sharing Environment at DC3, said during a speech at CyberTalks on Wednesday.

“IBM recently did me a big favor by updating their annual assessment of the cost to a company of a data breach. This year the average cost is $4.88 million. “Every time we find a vulnerability, validate it, work with the company to remediate it, and validate the fix, we have blocked an adversarial approach and saved them an average of $4.8 million in response and recovery costs.” he said. “We saved the defense industry this money, we saved the American economy this money, we saved the Department of Defense this money, because the reality is that we are going to pay for cybersecurity one way or another.”

With that in mind, the agency has patched enough vulnerabilities in the first six months of the program to potentially save the DIB $300 million, according to Kalka.

He later told DefenseScoop that about 62 vulnerabilities have already been fixed and about 160 more are currently in the queue for fixes.

“We are now seeing more companies take part in the program and are finding more and more vulnerabilities. So it's practically a cycle of damage control,” he said on the sidelines of the conference.

Authorities are working to counter a wide range of malicious cyber activity.

“Phishing is always an ongoing threat, but I think we see phishing more as an interruption to operations, like a piece of ransomware. The threats that have become more common in the last year have to do with actual data exploitation and exfiltration. What this means to me is that phishing is still effective, but is no longer necessarily the most effective attack vector. That's why we really need to work on closing vulnerabilities, patching systems and being secure through the leadership of CISA because that's how we're going to block adversarial attacks,” Kalka told DefenseScoop.

Countries such as China, Russia, North Korea and Iran are affecting critical infrastructure, he said.

“We see threats from all over the world, including domestic IP addresses. And that's the tricky part: in the immediate response to an incident, attribution to a nation state or criminal organization is a second or third order effort. Our main focus is on the question: where does it come from? How do we stop it? How can we find out what damage may have been done to the Defense Department's information? And so, as you know, you can borrow an IP address pretty much anywhere. So we see a global spectrum of threats,” Kalka said.