The U.S. Cyber Command was set up this year within the Department of Defense (DoD) to tackle the cybersecurity requirements of the DoD’s networks and to conduct military cyberspace operations. However, the command could also have a broader role in the civilian sector through protecting US critical infrastructure networks and systems.
Alexander, who is also director of the National Security Agency, told the House panel that the White House is examining the legal authority needed for the Cyber Command to take on a broader role in defending cyberspace. This may require additional action by Congress for the command to take on a larger cybersecurity role.
The general said that the US critical infrastructure – for example, energy, utilities, public transportation, banking, and chemical industries – is increasingly dependent on networks and thus increasingly vulnerable to cyberattack.
“We have to partner with industry…Much of the infrastructure that we operate on is owned by industry. They have tremendous technical talent. We have to bring [that talent] together with what the government knows from a threat perspective and the tactics, techniques and procedures we develop for operations…That is part of the discussion that is ongoing that will result in the additional authorities that the White House is working on to bring forward,” he said.
In his prepared statement, Alexander said adversaries are developing new tools to damage and destroy computer and network systems. “This recent shift toward operationalizing cyber tools as weapons to damage or destroy is of great concern to us at Cyber Command,” he said.
“Successful defense in any one part [of cyberspace] depends on the shared efforts of agencies, industry, allies, and mission partners who watch their own networks for problems that could affect them all...Security is always inconvenient, and even more so in cyberspace because it costs time to get it right and keep up-to-date – which is much of the battle right there. The cost of successful attack, however, is much higher than the expense of connecting and deploying the hardware and software to stay connected. Making security work requires common standards and terminology and the sharing of great quantities of timely information,” he added.
In response to a question by Rep. Joe Wilson (R-SC) concerning the privacy and civil liberties implications of an expanded role of the Cyber Command, Alexander said that “we have a responsibility to protect the civil liberties and privacy of the American people”.
Alexander said his command will work to expand the transparency of its operations to ensure the American people and Congress that it is protecting privacy and civil liberties. “What we can’t do, however, is say, here is a specific threat we are defending against and how we are defending against it because the adversary in three days will be able to work around it.”
Kicking off the hearing, Committee Chairman Ike Skelton (D-MO) said that the US government must “do more to improve security in cyberspace and manage risk without choking off creativity and innovation.”
Ranking Republican Howard McKeon (R-CA) added the “potential for harm from malicious activity reaches beyond the sphere of traditional military influence into financial systems, critical domestic infrastructure, such as power and water treatment plants, and personal information, [which] all can be touched and disrupted through cyberspace.”