DOD wants a baseline of security standards for defending civilian critical infrastructure and clear lines of authority for sharing information across sector boundaries.
With the presidential election behind us and the political status quo confirmed in Washington, the dangers in cyberspace continue to grow, says NSA Director and U.S. Cyber Command commander Gen. Keith B. Alexander.
The nation’s dependence on a global information infrastructure is growing at the same time threats are increasing both in number and in sophistication.
“Where are we going to go from here?” Alexander asked at the recent Symantec Government Symposium in Washington. “We have tremendous vulnerabilities. Everybody’s getting hit,” and the theft of intellectual property has become “the biggest concern we have right now as a nation.”
On top of that, recent attacks such as those against the Saudi oil company Aramco, believed to have been launched from Iran, demonstrate the ability to effectively wipe out data on targeted computers. “I am concerned that attacks like that are coming,” the general said. “We have to get ready for that.”
The message was not new. For years now Alexander has been pushing for better cooperation between government and the private sector in the face of cyber threats, and Defense Secretary Leon Panetta drew attention to the issue in October by revealing the Aramco attacks. But the intensity of the campaign is increasing, along with the stakes.
The Defense Department is moving ahead with plans and capabilities for conducting defensive and offensive operations in cyberspace and now is developing formal rules of engagement for cyberwar. But the DOD is placed in an awkward situation, having the intelligence, the capabilities and the mission of defending the .mil domain from foreign assault, but no authority to act in the non-military critical infrastructure on which it and the rest of the nation depends. That is the realm of the Department of Homeland Security, the FBI and the private sector. And while everyone would like to be under the DOD shield, nobody wants to turn over their security—or information—to the military.
There is informal cooperation. The NSA stands ready to provide its expertise to DHS for protection of civilian infrastructure. And DOD is working with the private sector through the Enduring Security Framework, a program launched in 2008 in which corporate executives are granted temporary, one-day classified clearance to get “scared straight” style briefings on cyber threats and capabilities. But DOD wants to see a legislative framework that will spell out the relationship between the military, the civilian government and the private sector in the area of cybersecurity.
Alexander, Panetta and the rest of the brass want two things: A baseline of security standards for civilian critical infrastructure that the military eventually could be called up on to defend, and clear lines of authority, responsibility and liability for sharing information across sector boundaries.
Whether the chances for this happening will be any better in the new Congress than in the current one—which was where cybersecurity legislation went to die—is anybody’s guess. But whatever the final formula for effective cyber defense is, it needs to emerge sooner rather than later, Alexander said.
“We can defend this space,” he said. “But we’re still at the starting line. We need to get moving.”
NEXT STORY: 7 elements of a self healing power grid