Lt. Gen. Alexander and the U.S. Cyber Command
The Chairman of the Armed Services Committee, Senator Carl Levin (D Michigan) began by posing three scenarios to Lieutenant General Alexander:
Scenario 1. A traditional operation against an adversary, country “C”. What rules of engagement would prevail to counter cyberattacks emanating from that country?
Answer: Under Title 10, an “execute” order approved by the President and the Joint Chiefs would presumably grant the theater commander full leeway to defend US military networks and to counter attack.
Title 10 is the legal framework under which the US military operates.
Scenario 2. Same as before but the cyberattacks emanate from a neutral third country.
Answer. Additional authority would have to be granted.
Scenario 3. “Assume you’re in a peacetime setting now. All of a sudden we’re hit with a major attack against the computers that manage the distribution of electric power in the United States. Now, the attacks appear to be coming from computers outside the United States, but they are being routed through computers that are owned by U.S. persons located in the United States, so the routers are in here, in the United States.
Now, how would CYBERCOM respond to that situation and under what authorities?”
Answer: That would be the responsibility of the Department of Homeland Security (DHS) and the FBI.
Alexander was repeatedly asked about privacy and civil liberties impact of his new role, and gave answers that were, well, full of platitudes but essentially uninformative.
He also played up the threat, saying that U.S. military networks are seeing “hundreds of thousands of probes a day,” whatever that means.
Prior to the hearing, Alexander answered written questions from the commitee. Particularly interesting are his answers to questions 24 and 27.
24. Explaining Cybersecurity Plans to the American People
The majority of the funding for the multi-billion dollar Comprehensive National Cybersecurity Initiative (SNCI) is contained in the classified National Intelligence Program budget, which is reviewed and approved by the congressional intelligence committees. Almost all important aspects of the CNCI remain highly classified, including the implementation plan for the Einstein 3 intrusion detection and prevention system. It is widely perceived that the Department of Homeland Security is actually likely to simply extend the cyber security system that the NSA developed for DOD into the civilian and even the private sector for defense of critical infrastructure. DOD is creating a sub-unified Cyber Command with the Director of NSA as its Commander.
24a) In your view, are we risking creating the perception, at home and abroad, that the U.S. government’s dominant interests and objectives in cyberspace are intelligence- and military-related, and if so, is this a perception that we want to exist?
(U) No, I don’t believe we are risking creating this perception as long as we communicate clearly to the American people—and the world—regarding our interests and objectives.
24b) Based on your experience, are the American people likely to accept deployment of classified methods of monitoring electronic communications to defend the government and critical infrastructure without explaining basic aspects of how this monitoring will be conducted and how it may affect them?
(U) I believe the government and the American people expect both NSA and U.S. Cyber Command to support the cyber defense of our nation. Our support does not in any way suggest that we would be monitoring Americans.
(U) I don’t believe we should ask the public to accept blindly some unclear “classified” method. We need to be transparent and communicate to the American people about our objectives to address the national security threat to our nation—the nature of the threat, our overall approach, and the roles and responsibilities of each department and agency involved—including NSA and the Department of Defense. I am personally committed to this transparency, and I know that the Department of Defense, the Intelligence Community, and the rest of the Administration are as well. What needs to remain classified, and I believe that the American people will accept this as reasonable, are the specific foreign threats that we are looking for and how we identify them, and what actions we take when they are identified. For these areas, the American people have you, their elected representatives, to provide the appropriate oversight on their behalf.
(U) Remainder of answer provided in the classified supplement.
24c) What are your views as to the necessity and desirability of maintaining the current level of classification of the CNCI?
(U) In recent months, we have seen an increasing amount of information being shared by the Administration and the departments and agencies on the CNCI and cybersecurity in general, which I believe is consistent with our commitment to transparency. I expect that trend to continue, and personally believe and support this transparency as a foundational element of the dialogue that we need to have with the American people on cybersecurity.
27. Designing the Internet for Better Security
Cyber security experts emphasize that the Internet was not designed for security.
27a) How could the Internet be designed differently to provide much greater inherent security?
(U) The design of the Internet is—and will continue to evolve—based on technological advancements. These new technologies will enhance mobility and, if properly implemented, security. It is in the best interest of both government and insustry to consider security more prominently in this evolving future Internet architecture. If confirmed, I look forward to working with this Committee, as well as industry leaders, academia, the services, and DOD agencies on these important concerns.
27b) Is it practical to consider adopting those modifications?
(U) Answer provided in the classified supplement.
27c) What would the impact be on privacy, both pro and con?
(U) Answer provided in the classified supplement.
The Electronic Privacy Information Center has filed a Freedom of Information Act request for that classified supplement. I doubt we’ll get it, though.
The U.S. Cyber Command was announced by Secretary of Defense Robert Gates in June 2009. It’s supposed to be operational this year.