Reuters reported Wednesday that for the first time, classified information about cyber-vulnerabilities in the U.S. will be used to protect private businesses outside the military industrial complex. The Department of Homeland Security plans to facilitate a multi-agency process through which secret information gleaned about possible software flaws vulnerable to attack can be passed on to the private sector. The new proposal complements the already widespread (but largely unspoken of) government practice of mass-buying tools that so-called zero-day exploits — hacker tools designed to take advantage of software vulnerabilities.
Secretary of Homeland Security Janet Napolitano said that a system being developed to scan Internet traffic headed toward critical businesses would block attacks on software programs that the general population does not realize are possible.
“It is a way to share information about known vulnerabilities that may not be commonly available,” Napolitano said at the Reuters Cybersecurity Summit in Washington, D.C.
The information would come from “a variety of sources” including intelligence agencies, she said on Tuesday.
The National Security Agency and other intelligence agencies develop and acquire knowledge about software flaws in order to penetrate overseas networks. Until now, there has been no straightforward way for these agencies to share that classified data with U.S. companies outside the defense sector, even though those companies could become victims of cyber attacks.
The plan is to discreetly share the data through what the government calls Enhanced Cybersecurity Services. Under a February presidential order, those services will be offered by telecommunications and defense companies to utilities, banks and other critical infrastructure companies that choose to pay for them.