In event of cyberattack, who's in charge?

Congressional panel says lines of authority not clearly delineated, formal response plans absent

Although the United States is building up a series of organizations and systems to defend its vital infrastructure from cyberattack, coordinating and managing this massive edifice remains a challenge. This lack of overall authority and strategic direction was a key topic brought up by government and private-sector groups in congressional testimony last week.

Speaking at a House Armed Services Subcommittee hearing on Emerging Threats and Capabilities, members of Congress and other speakers raised their concerns about the challenges facing national cyber defense. Defining clear lines of authority remains an issue that must be worked out.

Subcommittee chairman Max Thornberry (R-Texas) said that if enemy aircraft or ships attack U.S. territory, there are clear rules to invoke a military response. But how should the nation respond if there is an attack from cyberspace, he asked. Specifically, he wondered if the Defense Department or the federal government is able and authorized to commit to a response.

Related coverage:

Two years later, U.S. still not prepared to secure cyberspace, report warns

Determining what part of the government should respond to an attack remains a challenge due to a variety of factors, such as the nature of the attack, determining if and when an attack is taking place and where the attack came from. The Stars and Stripes reported that there is still no definite agreement between Congress, the White House, the intelligence community, the Defense and Homeland Security departments and industry stakeholders about who should watch over certain networks and respond in different cyberattack scenarios.

Some steps have been taken. The Stars and Stripes noted that two bills introduced last year seek to establish explicit lines of federal authority. The administration has also ordered the DOD and DHS to assign observers to sit in on each other’s cybersecurity operations to promote better coordination.

But House subcommittee members remained skeptical. “I have to say, I’m afraid many in industry and in government still fail to appreciate the urgency of this threat. Since I began working on this issue, I’ve been disappointed by the overall lack of serious response and commitment to this issue,” said Rep. James Langevin (D-R.I.).

Industry groups cautioned against a direct government takeover of the Internet during an emergency. Gregory Nojeim of the Center for Democracy and Technology warned that shutting down commercial computer networks in a crisis could have unforeseen effects, and may even make matters worse.

Speaking for the nation’s electric grid operators, Gerry Cauley, CEO of the North American Electric Reliability Corp., maintained that industry is constantly improving its security and developing new ways to handle crises. He said that the military should only step in if private firms are overwhelmed by a massive attack.

The ultimate answer to sorting out cyberspace jurisdictional issues between the DOD and DHS lies with Congress, said Rep. Hank Johnson (D-Ga.). “Just as the military does not police our streets, it should not police our civilian cyber infrastructure. But we must ensure that the armed forces have the necessary tools to protect and defend the country from cyber warfare,” he said.

inside gcn

  • Google Map of free sandbags in Los Angeles

    When simple is best: Google Maps for disaster prep

Reader Comments

Wed, Feb 16, 2011

All networks are under attack every day - period. So for Cyber attacks, would I (or anyone) give up my firewall and spam filter and put all my trust in the Government to defend myself? HECK NO! Keep the government out - it's up to its ears in debt anyway, so how canit afford yet another 'project'?

Tue, Feb 15, 2011 DHS Observer Laurel, MD

Congress must disabuse itself of the fantasy that DHS might actually be able to respond to a cyber emergency. DHS absolutely does NOT have the culture of action found in a military organization -- that was demonstrated to our horror in DHS's Katrina non-response and little has changed in that bureaucracy. This is an outfit that wraps itself around the proverbial axle during cyber attack exercises over perceived legal prohibitions, such as provisions of the Paperwork Reduction Act they believe prohibits asking the private sector for information during a crisis! That level of immaturity and inability to put matters in perspective is rarely found in DOD during combat operations, but is the continuing hallmark of DHS. The only correct answer to the question of defending the USA from attack of any kind, physical or cyber, is DOD. Let's hope we don't have to read in the "Cyber 9/11 Report" how we exposed ourselves to attack by hindering DOD's response with legions of DHS/DOJ bureaucrats seeking to do "law enforcement" instead of proactive self-defense of our Nation.

Tue, Feb 15, 2011

Never use one office to meet a requirement, when a dozen offices (and the slices of turf and empire that go with them) will do. This is nothing new- FedGov has ALWAYS had way too many offices with the same mission, and not just in IT. Supply, Intel, and even mundane support ops communites are the same way. I've given up expecting it to ever get better. Nobody ever got promoted suggesting that their agency or unit give up mission.

Tue, Feb 15, 2011

With the 'controls' DoD imposes on its own IT infrastructure, who knows what bad things could happen to the electronic grid, for instance, without a cyber attack?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group