By Joseph Menn
WASHINGTON (Reuters) - The U.S. government will use classified information about software vulnerabilities for the first time to protect companies outside of the military industrial complex, top officials told Reuters this week.
Secretary of Homeland Security Janet Napolitano said that a system being developed to scan Internet traffic headed toward critical businesses would block attacks on software programs that the general population does not realize are possible.
"It is a way to share information about known vulnerabilities that may not be commonly available," Napolitano said at the Reuters Cybersecurity Summit in Washington, D.C.
The information would come from "a variety of sources" including intelligence agencies, she said on Tuesday.
The National Security Agency and other intelligence agencies develop and acquire knowledge about software flaws in order to penetrate overseas networks. Until now, there has been no straightforward way for these agencies to share that classified data with U.S. companies outside the defense sector, even though those companies could become victims of cyber attacks.
The plan is to discreetly share the data through what the government calls Enhanced Cybersecurity Services. Under a February presidential order, those services will be offered by telecommunications and defense companies to utilities, banks and other critical infrastructure companies that choose to pay for them.
Napolitano's Department of Homeland Security will take the information from the NSA and other sources, and relay it to service providers with security clearances. The service providers would then use these "attack signatures" - such as Internet routing data and content associated with known adversary groups - to screen out malicious traffic.
Napolitano's comments were the first disclosure that the screening would also cover attacks on software using methods known to the government that have not been disclosed to the software manufacturers or buyers.
While U.S. intelligence agencies have at times warned software manufacturers, such as Microsoft Corp (MSFT.O) and Google Inc (GOOG.O), or Homeland Security officials of specific, declassified problems, the new system will be machine-to-machine and far more rapid.
It reflects the realization that many espionage attacks from overseas are aimed at the private sector and that future destructive attacks may arrive the same way. (Classified attack signatures have been used to protect defense manufacturers under a Pentagon program.)
House of Representatives Intelligence Committee Chairman Mike Rogers said he was glad about the plan to share more broadly information about vulnerabilities, while maintaining control of the process to avoid tipping off rival countries or criminals.
"This can't happen if you post it on a website," Rogers, a Republican and lead author of a cybersecurity information-sharing bill that has passed the House, told the Summit. "We have to find a forum in which we can share it, and 10 providers serve 80 percent of the market. We have classified relationships with a good number of them."
Among those that have agreed to provide the classified security services are AT&T Inc (T.N) and Raytheon Co (RTN.N). Northrop Grumman Corp (NOC.N) said this week it had also joined the program.
The secret but widespread U.S. practice of buying up tools leveraging unknown or "zero-day" software flaws for spying or attacks was the subject of a Reuters Special Report last week, in which former White House cybersecurity advisors said more flaws should be disclosed for defensive reasons.
Michael Daniel, the White House cybersecurity policy coordinator, told the Summit the Enhanced Cybersecurity Services program was still evolving and the type of information shared would change as threats do.
"We want to use the full capabilities that we have to protect as much of the critical infrastructure as we can with that program," he said.
(Follow Reuters Summits on Twitter @Reuters_Summits)
(Reporting by Joseph Menn; Editing by Tiffany Wu and Leslie Gevirtz)