Cyber Command Chief Warns of National Vulnerabilities

Gen. Keith B. Alexander, USA

Because the defense of cyberspace is so complex, the solution may lie in establishing a “secure zone” where key government, financial and critical infrastructure computer systems would reside, the general offers. This secure zone would be separate from the public Internet at large, and its creation would allow effective security measures to be emplaced without affecting the performance of everyday public cyberspace usage.

Speaking to a small group of journalists at Fort Meade, Maryland, Gen. Alexander placed cyberattacks in three categories: criminal, disruptive and destructive. We have seen the first two, he said, and experts are seeing indications of the third—the question is when that will hit.
“This is one of the most critical problems our country faces,” he asserts. “We’re losing money today, and there is a real probability that, in the future, this country will get hit by a destructive attack—and we need to get ready for it.”

At issue are the responsibilities for the power grid, financial networks and other critical infrastructure elements, both government and commercial. It will take a team comprising organizations such as the FBI and the Department of Homeland Security to determine and wield those responsibilities, Gen. Alexander states.

The Obama Administration still is working to develop a national cybersecurity policy that will take into account civil laws and relationships. Gen. Alexander endorses this administration effort, and he suggests that his command could wargame civil cyberdefense against the backdrop of laws and government policies. Until new government policies are formalized, the Cyber Command will focus on defending Defense Department networks. And, as directed, the command also will help the Department of Homeland Security defend its networks.

“What we don’t want to do is race into legislation without getting all the pieces down,” the general declares. “What the White House is putting together is the right approach—we must get these pieces together; how do you want to operate the team; where are the different rules for the members of the team; do we have those authorities and does everyone understand it. Then, once you have done all that, you say, ‘Now—from a Department of Justice perspective, do you have the authority to do that? If not, why not?’ Then, that’s what you need to change.”

Most of the laws regarding cyberspace predate the growth of the Internet and actually focus on traditional telephony, he notes. These laws must be updated. The Cyber Command wants clear assurances as to who has the responsibility for cyberdefense in the diverse environment.

“We can protect civil liberties and privacy and still do our mission,” he declares. “There are going to be mistakes, but our job should be, ‘let’s do the best we can at that.’ We can protect the First Amendment and the Fourth, and do a good job at that.”

The country may need a multilayered deterrent strategy that takes into account the different types of attackers threatening the diverse infrastructure. That strategy must be evolved, the general adds.

Gen. Alexander expects the Obama Administration to “get its stuff done” over the next 90 days or so. Then, when the new Congress returns in 2011, it will treat it as a key piece of legislation. “Clearly, with the Congress today, you’re not going to get that done, with where they are,” he offers.

Currently, the command’s operations center—which began with the migration of the Joint Task Force–Global Network Operations (JTF–GNO) into the command—is the furthest along in its elements, the general says. Practices and procedures for how the command defends the Global Information Grid (GIG) are in place and operating well.

The general notes the difference between a static defense—such as an antivirus program that usually stops about 80 percent of intrusions—and an active defense that looks among data packets moving suspiciously or even malevolently through a network. This scrutiny would be complemented by cooperation with foreign intelligence services to improve digital awareness, and it will be necessary for stopping the more sophisticated 20 percent.

Determining where an attack originates remains a problem. “Attribution is critical and difficult, so our strategies have to accommodate the possibility—the probability—that you may not know if it is a mistake or an intent,” Gen. Alexander offers. “It is important for Cyber Command to work with the intelligence community at large.” While the command works only within Defense Department networks, in an area of hostilities it could receive additional authorities via an execute order.

Part of the command’s challenge is to protect a realm that defies structure and is constantly changing. Gen. Alexander points out that the Internet has 1.9 billion users, and cellular subscriptions total 4.6 billion. An average of 247 billion e-mails are sent each day, and 70 percent of them are spam. A total of 90 trillion e-mails were sent in 2009. The value of intellectual property online is about $5 trillion, and $300 billion of that is stolen over the network every year. “There are some issues that we have to resolve in cyberspace for our own national economy,” he says.

Government currently informs industry when it discovers a security problem, but the general asserts that network security cannot be achieved without both industry and government working cooperatively. Again, a team construct may be required to ensure proper cooperation among all parties.

The command has roughly 1,000 military and civilian personnel in its command structure. Gen. Alexander notes that the command has an around-the-clock joint operations center that requires constant manning. He adds that the command’s budget for FY 2010 was about $120 million, most of which went to contract support. The command will request a 25-percent increase to about $150 million in FY 2011, he says.