The United States must “normalize” cyberspace operations if it is to protect and defend cyber assets, including the critical infrastructure, according to the commander of the U.S. Cyber Command (CYBERCOM). Gen. Keith B. Alexander, USA, who also is the director of the National Security Agency (NSA) and the Central Security Service (CSS), told the Senate Committee on Appropriations Wednesday that the nation faces “diverse and persistent threats” that cannot be countered through the efforts of any single organization.
“The defense of U.S. military networks depends on knowing what those who would harm us are doing in cyberspace, which in turn depends on intelligence produced by NSA and other members of the intelligence community regarding adversary intentions and capabilities,” he stated.
The dual-hatting of the NSA director and the CYBERCOM commander unifies the capabilities for full-spectrum cyber operations, Gen. Alexander stated, adding that it “deconflicts the use of the cryptologic platform” with full knowledge of the needs of both organizations. “The flow of information and expertise across the commands, agencies, departments and foreign mission partners here and overseas is improving slowly but steadily,” he stated, adding “we have much to gain from this partnership, but perhaps not much more time left before our situation in cyberspace becomes even more worrisome than today.”
Gen. Alexander also addressed the recent controversy of widespread NSA monitoring. He said that the 9/11 terrorist attacks might have been prevented if the surveillance programs had been in effect at that time. Dozens of terrorist events have been averted by the monitoring, and the revelations have set back U.S. counterterrorism efforts.
“Our security is jeopardized,” he said of the revelations. “There is no doubt in my mind that we will lose capabilities as a result.”
Gen. Alexander did agree that, with the revelations having become public, a national debate on the issue of security versus public knowledge is appropriate. He emphasized the importance of ensuring civil liberties, but he cautioned against publicizing all counterterrorism efforts lest adversaries revamp their activities to circumvent surveillance.
“If we tell the terrorists every way we are going to track them, they will get through and Americans are going to die,” he declared.
The United States cannot yet deter persistent cyber harassment of private and public sites, property and data, the general observed. While these attacks have not caused loss of life, they have been destructive to data and property in other countries. Gen. Alexander cited remote assaults on Saudi Aramco and RasGas that rendered inoperable and effectively destroyed the data on more than 30,000 computers, and said that cyber attacks are worsening.
“It is only a matter of time before the sort of sophisticated tools developed by well-funded state actors find their way to groups or even individuals who, in their zeal to make some political statement, do not know or do not care about the collateral damage they inflict on bystanders and critical infrastructure,” he predicted.
The United States is already a target, he continued, adding that state-sponsored attacks have caused degradation and disruption to U.S. networks and websites, some as collatoral damage. He declined to name the countries that have conducted these attacks in an unclassified forum, but he warned of the vulnerability of the critical infrastructure.
“On a scale of one to 10, with 10 being strongly defended, our critical infrastructure’s preparedness to withstand a destructive cyber attack is about a three,” he testified.
Gen. Alexander pressed his request for legislation to empower cyber defense, calling for legislation that facilitates cybersecurity information sharing among the government and the private sector; incentivizes the adoption of best practices and standards for critical infrastructure; gives law enforcement the tools to fight crime in the digital age; updates federal agency network security laws and codifies Department of Homeland Security cybersecurity responsibilities; and creates a national data breach reporting requirement. The current budget for unclassified cyber operations in fiscal year 2014 is $13 billion.