The nation needs cyber-security legislation to authorize sharing of threat data between industry and government in real time, said Gen. Keith Alexander, chief of both the National Security Agency and the US Cyber Command, and it can be done without any danger to individual privacy.
“This cyber legislation that’s coming up is going to be absolutely vital to the future of our country,” said Gen. Alexander.
As for the idea that the US government will be able to read every individual citizen’s email, or even wants to, “that’s bull — baloney,” he said, catching himself mid-expletive.
Speaking to a tough crowd at the libertarian-leaning American Enterprise Institute in Washington, Alexander said he was optimistic that Congress would overcome its skepticism over privacy concerns and act. “This time of year it’s politically very difficult to move things through, but in my experience in working with both sides, both the Republicans and the Democrats see this is a key issue,” he said. “I am getting a lot of calls from both sides and in my perspective they both want to push this.”
“We may not get everything that I personally want,” Alexander said, but “information sharing is one [aspect of the bill] that everybody agrees on. The hard part is going to be, ‘What do you mean by setting standards?'”
It is vital, Alexander said, to educate the American people about what the threat is, what must be done to combat it, and how that defense does not endanger their privacy. “If we can’t explain that to the American people, then how do they know what we’re talking about is true?” he said. “The reality is we can do protection of civil liberties and privacy and cybersecurity, as a nation. Not only we can…. we must.”
“We’re not talking about taking your personal emails and giving those to the government,” Alexander emphasized. “We don’t hold data on US citizens.” The sheer volume of emails sent in the US means the government couldn’t scoop up citizens’ private communications indiscriminately even if it wanted too, he said: “Just for one minute think,” he said. “We’re taking about probably 30 trillion emails a year or more…. Anybody read 30 trillion emails?”
What government agencies need private companies to report is simply that the telltale “signature” of a certain threat is being sent from one computer system to another, he said. For example, if a particular virus were embedded in an email to someone at a power company, “we’d need to know that signature A was trying to get into the power grid and going from website X to website Y,” he said. “We don’t need to now what’s in that email.”
“If the critical infrastructure community is being attacked by something, we need them to tell us — at network speed,” he said. “It doesn’t require the government to read their mail or your mail to do that.”
Alexander’s repeated calls for “network speed,” however, imply that sending that information must be automated, or at least left to a quick click by a network administrator — with minimal time for thought, let alone legal review. That’s why it’s essential to get the rules and standards right to begin with.