The head of Cyber Command warned yesterday congressional delay in passing cybersecurity legislation is putting the nation at risk, while he also sought to allay concerns about the government receiving information about the private sector’s Internet activity.
Army Gen. Keith Alexander, commander of the Cyber Command and head of the National Security Agency, avoided commenting during a speech yesterday on the multiple cybersecurity bills lawmakers are debating. Yet he emphasized the need for legislation that enables and encourages infrastructure entities, such as electrical grids and banks, to quickly tell the government when they are under cyber attack.
“One of the things that we have to have (with legislation), is if the critical-infrastructure community is being attacked by something we need them to tell us at network speed,” Alexander said during a speech at the American Enterprise Institute think tank in Washington.
“It doesn’t require the government to read their mail, or your mail, to do that. It requires them…–the Internet service provider or that company–to tell us that that type of event is going on at this time.”
Alexander said this notification “has to be at network speed if you’re going to stop” the cyber attack.
“It’s like a missile coming in to the United States,” he said, adding that someone would not notify the government about an incoming missile via “snail mail.” He said the notification about cyber attacks could be in “real time,” but under a construct where citizens know “that we’re not looking at (taking actions that would raise concerns about) civil liberties and privacy.”
Alexander said the government needs to warn the private sector and critical-infrastructure defenders about cyber threats and also learn when attacks hit, but does not want to go as far with information sharing as to read citizens’ personal e-mails.
“The key thing in (the debate over such) information sharing that gets, I think, misunderstood, is when we talk about information sharing we’re not talking about taking our personal e-mails and giving those to the government,” he said. He said people need to be better educated to understand this distinction regarding information sharing.
“If we don’t, my concern is what will happen is we’ll argue about this,” he said, alluding to the current congressional debate over legislation. “We’ll never get to a solution until something bad happens,” he added, warning of officials overacting after a crisis. “So while we have the time, the patience, and the understanding, let’s get this right. Let’s do it now.”
House Republicans and Senate Democrats are at odds over such legislation. The House passed in April multiple cybersecurity bills including the Cyber Intelligence Sharing and Protection Act, which is intended to make it easier for companies and the government to share cyber-attack information. The White House threatened to veto the bill, though, arguing it would lead to firms giving customers’ private information to government intelligence authorities.
The Senate, meanwhile, is poised to debate an alternate bill from Sens. Joe Lieberman (I/D-Conn.) and Susan Collins (R-Maine) that would do a key thing the House-passed measure would not: allow the government to set standards for securing critical infrastructure.