In his annual appearance before the Senate Armed Services Committee last week (on March 27), Gen. Keith Alexander, Director of the NSA (DIRNSA) and the Commander of the U.S. Cyber Command (CYBERCOM), described several successes in the cyber fight but noted that much work needs to be done. In a hearing whose self-described purpose was to “receive testimony on…U.S. Cyber Command in review of the Defense Authorization Request for Fiscal Year 2013 and the Future Years Defense Program,” Gen. Alexander painted a somewhat bleak picture of our nation’s cybersecurity posture.
Why was this hearing at least somewhat different than many of the other claims of cyber doom and gloom? To begin with, Gen. Alexander observed that “[d]angers are not something new in cyberspace, of course.” He noted, however, that what he had described as being theoretical in his testimony from only a year earlier had become reality and that attacks on both critical infrastructure and corporate networks were becoming more severe. In a very sobering and alarming tone, he stated “[t]he theft of IP is astounding.” This echoed Sen. Lewin’s opening remarks, where he recounted that “the relentless industrial espionage being waged against U.S. industry and Government, chiefly by China, constitute[s] ‘the greatest transfer of wealth in history.’” While various public accounts support this (including recent reports of the ten year network intrusion into Nortel networks), it is likely that many more non-public intrusions have occurred resulting in billions of dollars in stolen IP.
Observing that “[c]yberspace has a scope and complexity that requires inter-agency, inter-service, and international cooperation,” Gen. Alexander sketched out five challenges facing Cyber Command: (1) providing a trained and ready cyber force, (2) fashioning a defensible cyber architecture, (3) defining well understood and delineated cybersecurity responsibilities (including activities by the private sector), (4) enhancing situational awareness of cyber issues, and (5) developing a cohesive plan and process for operating in cyberspace. To address these issues, Gen. Alexander described a number of different efforts and stressed the need for private sector involvement, including information sharing both with government and intra-industry.
Other interesting points in the hearing included:
- In response to a question, Gen. Alexander stated the need to be able to stop these attacks in progress, which led to a discussion of “options that would take it to the next steps…includ[ing] cyber and other options that may be available.” These options would be “for the President and Secretary [of Defense]”and clearly were references to offensive cyber capabilities.
- The continuing tension between Sen. Lieberman and Sen. McCain over their respective cybersecurity bills was apparent, as each tried to elicit testimony from witnesses to support their positions.
- Another witness, Gen. Robert Kehler (the Commander of the U.S. Strategic Command (STRATCOM)) raised the important notion of balance, in two different respects. He noted first that balance must be achieved amongst the different stakeholders. He also explicitly stated that balance is needed between the development of offensive capabilities and the defensive mission.
Ultimately, what does all of this mean for the private sector? There are a few different implications. First, information sharing may, after many years of debate, become a reality under a regime that still needs to be fleshed out. Despite critics who have said that information sharing won’t work, an approach seems to be within reach that would: (i) protect private actors; (ii) allow government to react more quickly and effectively to incoming threats; and (iii) provide more complete information to both. Second, entities maintaining good cybersecurity ‘hygiene’ will be better able to comply with requirements included in future legislation, whether under a mandatory or voluntary regime. Third, the continued focus on cybersecurity would seem to offer even greater opportunities for companies that take security and privacy seriously to differentiate themselves in the market. Finally, and perhaps most importantly, the public recognition by the government of IP theft as one of its greatest concerns means no company should take this threat lightly. No one is immune to threats from the array of attackers, whether advanced persistent threat (APT) actors or cyber activist groups. Accordingly, we all need to be vigilant and take the appropriate steps to protect our assets.