DoD wants cyber partnership, not to spy

Monday - 2/28/2011, 7:00am EST

WFED's Jared Serbu

Click below to hear the report

Download mp3

By Jared Serbu
Reporter
Federal News Radio

The head of the military's newly-created Cyber Command said the Pentagon doesn't want to nose around in private U.S. computer networks, but it does want to help protect them.

Gen. Keith Alexander's remarks at an AFCEA homeland security conference were in line with comments about cyberspace by other Defense Department leaders before and after the Defense Department established the U.S. Cyber Command last year. DoD's message has been that it has no intention of trying to militarize the Internet. But it does, at a minimum, need to protect its own networks. And those networks rely on private contractors, a private electric grid, and plenty of other critical private infrastructure.

"Everybody says, 'I don't want the intel community or the military in my networks.' Well, here's my comment: The only ones who aren't in your networks are us," Alexander said. "There isn't enough room for us in there. We don't want to be in there. We don't want to spy. We want to protect them. We see this as something absolutely vital to the future of our country. Cybersecurity for government and critical infrastructure is key to the security of this nation, and we've got to do that right. We can do that and protect civil liberties and privacy."

Alexander said aside from the military's own interest in defending the IT infrastructure it depends on, there are practical considerations the nation should consider as it ponders the role of the National Security Agency and DoD in securing private and civilian government networks. Carrying out that defense effectively, he said, requires the full-time expertise and manpower that only a huge, specialized agency like the NSA can provide.

DoD recognized that by co-locating the new Cyber Command with the NSA at Fort Meade, Md., it should try to leverage the intelligence agency's existing capabilities rather than trying to replicate them, said Alexander, who is also NSA's director.

"We don't have the money, we couldn't create the people fast enough, and we couldn't do it any other way than to leverage NSA as we know it," he said. "And when you think about it, that's good, efficient use of our nation's resources. It has our nation's center of gravity in crypto-mathematicians. When you look across what that means in operating on the networks, it's huge. The Department of Homeland Security is no different. If DoD couldn't afford to build another NSA, neither can DHS."

DHS is responsible for cybersecurity on civilian government networks. Through a memorandum of understanding with DoD, the two agencies already are sharing cybersecurity information and personnel.

Deputy Defense Secretary William Lynn said in a Feb. 15 speech in San Francisco that DoD would like to broaden that model to the private sector, through an expansion of the military's Information Technology Exchange Program.

"This program, whose pilot is just getting underway, will allow for the exchange of IT and cybersecurity personnel between government and industry," Lynn said to an audience of private sector IT security experts at the RSA Security conference. "We already share unclassified threat information on a limited scale with defense companies whose networks contain sensitive information. How to share classified signatures and the technology to employ them across the full range of industrial sectors that support the military and underpin the economy is a pressing policy question. Owners and operators of critical infrastructure could benefit from the protections that active defenses provide. We have the technology and know-how to apply them in a civilian context. The real challenge at this point is developing the legal and policy framework to do so."

Alexander said the nation's current mood regarding the military's role in private networks' cybersecurity is somewhat conflicted. He said policymakers want NSA's technical capabilities without the involvement of the NSA, and the military's deliberate processes without the involvement of the military, all with ironclad civil liberties assurances.

He said policy can provide for security and privacy at the same time, but doing so would depend in part on better public understanding of the issues.

"One of the key issues we face as a country in talking about civil liberties and privacy in cybersecurity is digital literacy," he said. "Many people will obfuscate the facts by saying, 'So and so is doing X,' or, 'This is what I see, Y.' And the reality is that they don't know what X or Y are doing. We've got to educate people on what it is that we need to do within our networks to secure them."