The Defense Department needs real-time access to threat information from the private sector if it is to protect the nation’s cyberspace, National Security Agency Director Gen. Keith Alexander said July 9.
“We need information sharing, in time and at network speed,” said Alexander, who also heads the U.S. Cyber Command. Because the United States is the largest user of online technology, “we are the most vulnerable and we need to do something about it.”
But the scope of the information that the NSA wants is misunderstood by the public, he said. “We’re not talking about giving our personal e-mails to the government.” The agency wants only attack signatures and IP addresses. “It doesn’t require reading the e-mail,” he said.
Alexander, speaking at the American Enterprise Institute, made a pitch for cybersecurity legislation that would enable easier sharing of threat information between government and the private sector, and among agencies, while also trying to quiet fears that sharing with the NSA would open the door to domestic military spying.
“We can protect civil liberties and privacy, and cybersecurity,” he said.
A variety bills addressing different areas of cybersecurity have been introduced in both houses of Congress, but have been stalled as lawmakers debate the proper role of government -- and particularly the military -- in protecting a predominantly privately owned cyberspace. It is generally felt that better cooperation, including information sharing, is needed between the private sector and government. But the details of what information should be shared, with whom and for what purposes remain in dispute.
Alexander, while not addressing any particular bill, said the two most important features of any legislation is information sharing and establishing standards of security for the nation’s critical infrastructure.
The threat of cyberattacks is escalating, both because online communications are becoming more tightly interwoven in our economy and national security and because the attacks themselves are becoming more sophisticated and dangerous.
“What I’m concerned about is the transition from disruptive to destructive attacks,” he said. “And I think that’s coming. We have to be ready for that.”
One subject conspicuously absent from in the talk was the Stuxnet worm, generally believed to be the first example of a cyberweapon designed to do physical damage, whose origin has been attributed to a U.S. cyberweapons program.
Establishing deterrence in cyberspace is more complex than with nuclear warfare because of the greater number of elements in the equation, Alexander said. In addition to nation states, there also are criminals, hackers, hacktivists and terrorist engaged on online activities. To date, the most serious activity has been espionage and the theft of intellectual property by both nations and criminals. Alexander called this theft “the greatest transfer of wealth in history.”
At this point, terrorist groups including al Qaeda do not pose a viable cyber threat, he said. But, “I’m concerned that while I don’t see it today, they could quickly get to that.”
Alexander’s plea for understanding about the need for data sharing comes at a time when NSA has raised eyebrows with the construction of the Utah Data Center, a secure facility reportedly for the interception and storage of electronic communications. He did not discuss details of the data center, but said it does not pose a threat to privacy.
“We don’t hold data on U.S. citizens,” he said. He said his agency does not have the resources to deal with the estimated 30 trillion e-mails sent every year and that it is focused on gathering foreign intelligence. “That’s what NSA does.”
Alexander said cybersecurity legislation is “absolutely vital” to enable NSA to protect domestic critical infrastructure, because information must be shared across organizational lines between NSA, the Homeland Security Department and the FBI, as well as with private companies. “It takes a team.” He said. “No one agency or department can do this by itself.”
Alexander acknowledged that it is politically difficult to move legislation during the presidential and congressional campaign seasons, but said both Republicans and Democrats see cybersecurity as a critical issue, with fundamental disagreements on how to address it.