Washington, DC – The $110 billion-a-year cyber economy has never been more vulnerable to crime and other threats, and securing the Internet against attacks demands the expertise of government agencies, industry and allies, the commander of US Cyber Command said here.
Army Gen. Keith B. Alexander, Cybercom chief and director of the National Security Agency, spoke on Nov 7 before a large audience at the Symantec 2012 Government Symposium. The symposium examines a fundamental question: How to protect sensitive information while enabling collaboration across jurisdictions, nations, citizens and the private sector?
“Government … operations depend on the network. If we lose that network we can’t communicate, [and] … what happens when [adversaries] disrupt our network or the power grid or our banking institutions?” Alexander said, adding that the US must work with its partners in industry and its allies to solve the problem.
“Many will ask about the roles of [the National Security Agency and Cybercom] in this, and how can we ensure civil liberties and privacy [as well as] the security of cyberspace? We can do both,” he said.
One of the first things industry and government must decide is how to make sure all companies involved in US critical infrastructure — including financial and information services and the defense industrial base — institute the highest possible levels of computer security.
“How many companies in the United States and among our allies are at this level?” Alexander asked.
“We actually do inspections,” he added. “We inspect our government networks to see how many are at 100 percent. And the answer is, very few.”
Companies in some sectors, like banking and the high end of the defense industrial base, are “right there at the top” of computer security, the general said.
“Then you go out to some companies that are being [attacked by adversaries in cyberspace] and they don’t know what the threat looks like nor what they should do, and some of them are in critical infrastructure,” he added.
Nobody wants to make such an effort hard, costly or bureaucratic, Alexander said. “The question is how do we help them?” he said. “What’s the right forum for government and industry to work together to help those companies get to the right level of security?”
Another imperative for government-industry collaboration involves gaps in computer security exploited by what are called “zero-day” attacks — those that exploit vulnerabilities in computer applications.
Eventually, patches are created to plug the security holes, but not before adversaries have entered and damaged the network or stolen intellectual property.
Alexander used an analogy to explain how Cybercom or the NSA could help industry identify what the general called “bad packets,” or those that carry destructive payloads out on the Internet.
“Internet service providers see packets out there. We want them to be able to see bad packets and do something about them. We’ll have [an examination process] for every packet. And we’ll say, ‘Did you see a bad packet in the network? Tell us where it’s coming from and going to, and stop it because [it’s carrying] a destructive payload,'” the general explained.
“When they see that bad packet, we don’t need to know what was in the communications,” he added. “All we need to know is a dangerous packet went from point A to point B right now, and that we may need to act.”
The federal government “is not looking at the traffic,” Alexander said.
“Industry is looking at the traffic and they have to do that to own and operate these networks. We’re going to help them with signatures and other things, and they need to tell us when they need our help. But it’s got to be done in time for us to help, and that’s part of the key issue.”
At Cybercom, the general said, experts are training the cyber workforce of the future, determining roles and responsibilities of the federal agencies involved in cybersecurity and exploring a defensible architecture for the Defense Department.
“The DOD architecture, in my opinion, is not defensible per se. We’re doing our best to defend it, but we’ve made this really hard,” Alexander said. The department has 15,000 enclaves, each run by separate system administrators and each with its own firewalls, he added.
“What that means is we need to come up with a defensible architecture,” the general said, adding that “a … virtual cloud is key to our success for a couple of areas for the Defense Department,” including for a growing number of mobile users. Cybercom and other agencies are also working on issues related to their authority to respond to a problem, Alexander said.
The key question, he added, is what can the Department of Homeland Security, the FBI, Cybercom and the NSA do to defend the country against a cyberattack, and when can they do it?
Alexander said that he, DHS Secretary Janet Napolitano, and FBI Director Robert S. Mueller III “have laid out lanes in the road for the government entities.”
The FBI is responsible for investigation, attribution and domestic problems. DHS is responsible, along with partners like NSA, the National Institute for Standards and Technology and the SANS Institute, for cybersecurity standards.
NSA and Cybercom have a couple of roles and responsibilities, Alexander said, including foreign intelligence.
“NSA has the best folks in the world,” the general said. “They have special skills and we want to leverage those skills to help secure cyberspace for our country and for our allies.”
Cybercom’s role “is not only to operate and defend DOD networks but to defend the country,” he said, noting Cybercom would step in if America came under cyberattack.
In the meantime, the general said, he’s concerned that attacks like the destructive August attack on computers at Saudi Arabia’s government-owned oil company Aramco are happening and “we’re spending a lot of time talking about what we should do and when we should do it.”
While there is still time, he said, “while you’re all in the room together with us … we ought to argue it out just like we did in the election [on Tuesday], come to a solution and then get going.”