CYBER COMMANDER GEN. ALEXANDER |
Cybercom Commander Calls Cybersecurity Order First Step
By Army Sgt. 1st Class Tyrone C. Marshall Jr.
American Forces Press Service
WASHINGTON, Feb. 13, 2013 - The cybersecurity policy President Barack Obama announced during his annual State of the Union address is a step toward protecting the nation's critical infrastructure, the commander of U.S. Cyber Command said here today.
Army Gen. Keith B. Alexander, also director of the National Security Agency, joined senior U.S. officials from the White House and the Commerce and Homeland Security departments to discuss strengthening the cybersecurity of the country's critical infrastructure.
"We need a way of sharing information between government and industry -- both for information sharing and hardening our networks," he said. "I think what we're doing in the executive order tackles, perhaps, the most difficult issue facing our country: How do we harden these networks when, across all of industry and government, those networks are in various states of array? We've got to have a way of reaching out with industry and with government to solve that kind of problem."
The general said the new cybersecurity policy is important to strengthening the country's defenses against cyberattacks. "The systems and assets that our nation depends on for our economy, for our government, even for our national defense, are overwhelmingly owned and operated by industry," he explained. "We have pushed hard for information sharing."
Private-sector companies have the information they need to defend their own networks in a timely manner, he said. "However, information sharing alone will not solve this problem," he added. "Our infrastructure is fragile." The executive order Obama signed to put the new cybersecurity policy into effect sets up a process for government and industry to start to address the problem, the general said.
But although the president's new executive order helps to bring about some solutions, Alexander said, it isn't comprehensive.
"This executive order is only a down payment on what we need to address the threat," he said. "This executive order can only move us so far, and it's not a substitute for legislation. We need legislation, and we need it quickly, to defend our nation. Agreeing on the right legislation actions for much-needed cybersecurity standards is challenging."
The executive order is a step forward, though, because it creates a voluntary process for industry and government to establish that framework, Alexander said.
"In particular, with so much of the critical infrastructure owned and operated by the private sector, the government is often unaware of the malicious activity targeting our critical infrastructure," he said. "These blind spots prevent us from being positioned to help the critical infrastructure defend itself, and it prevents us from knowing when we need to defend the nation."
The general noted government can share threat information with the private sector under this executive order and existing laws, but a "real-time" defensive posture for the military's critical networks will require legislation removing barriers to private-to-public sharing of attacks and intrusions into private-sector networks.
"Legislation is also necessary to create incentives for better voluntary cooperation in cyber standards, developments and implementation," he said, "and to update and modernize government authorities to address these new cyber threats."
Alexander warned that potential cyber threats to the United States are very real, pointing to recent examples.
"You only have to look at the distributed denial-of-service attacks that we've seen on Wall Street, the destructive attacks we've seen against Saudi Aramco and RasGas, to see what's coming at our nation," Alexander said. Now is the time for action, he said, and the new executive order takes a step in implementing that action.
In his role as director of the NSA, Alexander said, he is fully committed to the development of the cybersecurity framework.
"We do play a vital role in all of this, and in protecting DOD networks and supporting our combatant commands and defending the nation from cyber-attacks," he said. "But we can't do it all. No one agency here can do it all. It takes a team in the government."
And the government cannot do it by itself, either, he added. "We have to have government and industry working together as a team," he said.