When it comes to defending the nation’s private networks from cyber attacks, the Defense Department still is mostly in after-the-fact “forensics mode,” the military’s top cyber official told lawmakers Tuesday.
The Pentagon sees its job as defending the nation from foreign threats, a view that’s probably not too controversial. But in the 21st century, that means not just incoming missiles, but incoming data packets. DoD’s Cyber Command needs real-time information on attacks so it can stop them before they succeed, said Army Gen. Keith Alexander, who leads both the National Security Agency and U.S. Cyber Command. But right now, the military has a very hard time thwarting online attacks against the country’s private sector networks, because Cyber Command doesn’t even become aware of them until long after they’re finished.
“If we can’t see the attack, we can’t stop it,” Alexander told the Senate Armed Services Committee Tuesday. “We’re not talking about putting the military or the NSA into private networks to see the attack. We don’t want to do that. But we have to have the ability to work with industry so that when they see an attack, they can share that with us immediately.”
Information sharing is weak
Current methods of information sharing between government and industry are weak, military and congressional officials said, especially when stacked against the rate at which both state and non-state cyber opponents are developing new capabilities to exploit networks. “A major cyber attack against the United States literally could happen any day. I’m not predicting that it will, but our privately owned cyberspace is far more vulnerable to attack than DoD’s systems are,” said Sen. Joseph Lieberman (I-Conn.), who has sponsored one of the Senate’s proposals to update the way the U.S. thinks about protecting cyberspace. “I hear so many stories about critical infrastructure operators using defensive systems that are 15-years old without even basic detection capabilities.”
Alexander’s testimony comes at a time when the Senate is debating two cybersecurity proposals that have one major point of departure: Lieberman and Sen. Susan Collins’ (R-Maine) bill would tell the Department of Homeland Security to set minimum cybersecurity standards for the nation’s most critical infrastructure. A competing proposal advanced by Sen. John McCain (R-Ariz.) and others would take a hands-off approach from the government’s perspective, but would allow for some legal liability protections in order to encourage industry to voluntarily share information with the government.
Such a system is unworkable, said Rep. James Langevin (D-R.I.), who has introduced legislation that also would require critical infrastructure operators to adhere to a set of minimum cybersecurity standards.
“We do not accept voluntary safety standards for our airlines or in our food system, and we should not accept them when it comes to the utilities and infrastructure upon which we most rely,” he said in a statement Tuesday.
“This is the hard part,” Alexander said. “We don’t want to burden industry, but their networks need to be as defensible as possible. “We have to set up some standards. It needs to be like the system we have for roads and cars.”
Legislation meets DoD’s needs
Alexander was careful not to explicitly endorse any particular legislative proposal. He said his main concern was information sharing, and that concern he said was acknowledged by both major pieces of cyber legislation. McCain, whose bill would leave industry mostly to itself with regard to cybersecurity practices, sparred briefly with Alexander over DoD’s vision of how the departments of Defense, Homeland Security and the FBI would interoperate on cybersecurity. His main objection was to the lead role DoD wants Homeland Security to take when it comes to working with domestic companies.
“Anyone who’s been through an airport has no confidence in the technological abilities of the Department of Homeland Security,” McCain said. “Most of our cyber threats come from overseas. What would be the logic in putting our cyber defenses in the Department of Homeland Security?”
Alexander said DHS, DoD and the FBI need to work in concert. DHS, he said, should be the primary interface between the government and critical infrastructure operators; the FBI should be the main investigative agency for cyber attacks; DoD should be able to respond to foreign attacks, either through cyber means or with bombs and bullets, under rules of engagement the Pentagon is still finalizing.