The nation’s top military cyber commander offered his version of how government and military agencies are likely to work together when America suffers cyber attacks, and warned that industry needs to take a greater role.
“We have laid out lanes of the road,” Gen. Keith Alexander, commander of Cyber Command and director of the National Security Agency said, sketching them out in broad terms for an audience of security professionals yesterday at a symposium in Washington sponsored by Symantec.
The issue, he said, is “when and what does the Department of Homeland Security, the FBI, U.S. Cyber Command, and NSA do to defend the country from cyber attacks.”
According to Alexander:
The NSA would be responsible for foreign intelligence and detecting enemies overseas while Cyber Command would be called in if there was a direct cyber attack on U.S. infrastructure, Alexander said.
DHS would take the lead domestically, setting standards and regulations to follow, and serving as first responder, said Alexander.
Most importantly, the process must be transparent and it must be headed by a civilian agency such as the DHS. “They are the public face,” he said. “This is a job for all of us, and we need to help DHS get there,” he said.
The FBI, meanwhile, would be responsible investigations and in particular the issue of attribution, which remains one of the thorniest aspects of responding to cyber attacks.
Those roles, and the tangle of authority issues behind them, appear to be falling into place after years of discussion about the best ways to tie together all of the different civilian and military agencies to handle a crisis in cyberspace.
But Alexander also stressed the importance for industry, government and even the Defense Department to take more robust steps to develop “defensible architectures” in order to secure their networks.
Virtually every major corporation in America, and around the world is experiencing cyber attacks. “Everybody is getting hit,” Alexander told the audience. And he warned that the attacks are becoming “not only disruptive, but destructive.”
Alexander noted the difficulties the Defense Department has in protecting its own networks. The Pentagon currently has some 15,000 network enclaves, each with its own equipment and administrators. Even with an ongoing consolidation efforts, the sheer size of the organization means that there are plenty of chinks in its armor.
“The DoD network is not defensible, per se,” he stated soberly. “We are defending it,” but the number of separate systems makes it practically impossible to keep every system up to date.
Too much time has been spent talking not only about how to make computer networks safer, and what roles the government, the military and industry should play in countering the rise of cyber crime, intellectual property theft and the growing threat of attacks on the nation’s infrastructure, said Alexander.
If proper security measures aren’t in place, a major attack, such as the one that disabled thousands of computers inside Saudi Arabia’s national oil company, would not only result in large scale damage, but could inadvertently result in governments to react — and probably do the wrong thing, he said.
Because most of the country’s computer and communications infrastructure is privately owned, much of the responsibility for protection lies with the commercial sector. Although some sectors such, as finance, have very good security, most companies don’t follow basic security measures, either out of ignorance or uncertainty, Alexander said. This opens vast parts of the economy to attack.
Alexander pointed to the SANS 20 Critical Security Controls, developed by a consortium of security organizations, including NSA, US Cert, the Defense Department and the Center for Strategic and Internal Studies. Those standards, said Alexander, should be a minimum that corporations and critical infrastructure providers should have in place, he said. Then resources could be concentrated on the gaps determined hackers look to exploit.
Recent attempts to craft comprehensive legislation to require corporations to follow basic, agreed-upon cyber security measures have met resistance, most notably from the Chamber of Commerce, which is afraid of costly and intrusive federal regulations and requirements.
Stymied, the White House is readying an Executive Order establishing a voluntary program that firms, such as power companies, can join to share critical information with the government in case they are attached. Congressional staffers at the conference said that politics were a major reason for holding up cybersecurity legislation and with the election over, there should be few roadblocks next year. Others have urged the Office of Management and Budget to take greater action with agencies.
Alexander recently reached out to the business community and in his speech today he stressed that the public and private sectors must work together to secure the national infrastructure.
There has been some progress on the government side of things. Alexander noted that there is a focus on several critical areas: people, command and control, defensible architectures and authority. Intelligence organizations like the NSA work hard to attract the best and brightest to man its cyber operations branches. The government is also putting a lot of effort into retaining and training them.
One potential solution is to adopt a virtual cloud model supporting many mobile users, Alexander said. But instead of just developing these technologies in-house, the government needs to reach out to the software development community.
For example, he noted that the NSA developed Accumulo, a cloud-based system with a real-time security layer. The agency then put the software out to the open source community to improve it. Alexander calls this the “Tom Sawyer” method-getting lots of other developers to help work on a problem like Mark Twain’s character getting help to paint a fence.