Lockheed Martin's network came under "significant and tenacious" attack last week, the defense contractor said over the weekend. President Obama was briefed on the attack, and both the Pentagon and the Department of Homeland Security are assisting in ensuring the security of the network, a number of news outlets reported.

Network attacks appear to be coming at a faster and more furious pace, but the response from targeted companies to such worrisome incidents seems to be lagging. The attack was first uncovered May 25 by Robert Cringely in his blog, but he did not cite the target by name. The next day, Reuters named Lockheed, quoting anonymous sources. 

It wasn't until Saturday that Lockheed disclosed the breach. In a press release, the company maintained that its system remained secure despite the attack because it detected the intrusion right away. It isn't clear whether anything was stolen, but Lockheed said that "no customer, program or employee personal data has been compromised."

There has been a frenzy of speculation--beginning with Cringely's post back on May 25--that the attack was carried out by the same people who hacked into RSA, a division of EMC Corporation, in March. Cringely wrote that it "seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company. With those two pieces of information they were then able to get access to the internal network." Reuters followed up the next day, reporting that whoever attacked Lockheed used duplicated SecurID keys--made by RSA--to breach the system.

In the absence of any details out of RSA or Lockheed Martin, the blogosphere has taken the speculation and run with it. I've come across just one lone voice pointing out that while it might sound like a logical link, a connection between the RSA hack and the Lockheed hack remains a mere hypothesis.

"In the last twelve hours world+dog are taking the story and running with it, all without confirmation. As it stands it is simply another sensationalized tale of a nascent hypothesis and cannot reasonably be regarded as actionable intelligence," Dave Kennedy wrote Friday on Verizon's official Security Blog.

RSA, EMC and Lockheed Martin are accustomed to secrecy and doling information out to the public in a carefully orchestrated manner--as they should, given their work in national security. But as Kennedy points out, the information vacuum results in a "round of cries that 'the sky is falling.'"

The incident "may represent an opportunity for EMC/RSA to set a positive example for communications among security professionals, but it also represents a danger because thus far, they have failed to communicate to our profession enough unambiguous information upon which to make decisions to defend our principals," Kennedy wrote.

This attack demonstrates yet again the need for better information around network security and breaches. When it comes to consumer data left exposed (Epsilon and Sony, for example), lawmakers are busy working on new rules for swifter notification and improved protection. When it comes to corporate data left vulnerable, security professionals need to get busy improving communication. As Kennedy noted, failing to do so signals a danger in itself. - Caron