Cyberattacks on enemy computer systems should require presidential authority — and not be launched at the discretion of individual military commanders — the nation’s top cyberwarrior told Congress on Tuesday.
The comment by Gen. Keith Alexander, the head of U.S. Cyber Command, offered a rare glimpse into a largely classified debate over standing rules of engagement for the military in cyberspace. Those rules govern what commanders can and cannot do on their own authority outside war zones.
“It really comes down to, so what are those reactions that make sense that we can do defensively, analogous to the missile shoot-down?” he told the Senate Armed Services Committee.
“But if you are to go after a computer in foreign space or some other thing, that might be a response option that would now take, I think, the president and the [defense] secretary to step in and start making decisions, versus us taking that on,” Alexander said. “And I think that’s probably where we’ll end up, and that makes a lot of sense from my perspective.”
Alexander’s remarks came during a hearing that highlighted senators’ concerns about the growing threats to U.S. military, civilian and commercial networks dependent on the Internet. The threats are coming from foreign governments, criminals and hackers and may one day also come from terrorists, officials warn.
The rules of engagement were last updated in 2005 and are being revised to reflect advances in technology and capabilities.
“We are pushing for what we think we need,” Alexander said, noting that his staff members are working with the chairman of the Joint Chiefs of Staff, the Joint Staff and the Pentagon’s civilian leadership. The draft rules also will be vetted by other agencies and the National Security Council.
“Issues being ironed out are what specific set of authorities we will receive, conditions in which we can conduct response actions,” he said, adding that the work is likely to be done “in the next few months.”
The military is not allowed to take actions outside of its computer networks without special permission. Alexander alluded to a contentious debate that has been going on for years inside the Defense Department and the administration about how and when cyberwarriors might take aim at adversaries beyond their network boundaries.
He said the National Security Agency, which Alexander also heads, once detected in foreign computer networks an adversary trying to steal three gigabytes of data from an American defense contractor. The challenge was in alerting the company so that it could act fast enough to stop the theft, he said.
Alexander likened it to seeing a cyber-intrusion happen at “network speed” and then “trying to send a regular mail letter to them [saying] that you’re being attacked.”
He added, “There has got to be a better way to do that.”
Cyber Command was created in 2010 at Fort Meade, next to the operations center for the NSA, the nation’s largest spy agency.
Alexander also said that companies providing essential services such as electricity and water should meet “some set of standards” for network security as well as share data on network attacks with the government. Legislation has been introduced that aims to achieve those goals.
Some Obama administration officials in recent months objected when Alexander said publicly that he wanted greater legal authority to protect the nation’s critical private-sector computer networks against cyberattacks.
On Tuesday, when Sen. Carl Levin (D-Mich.), chairman of the committee, asked whether he was seeking additional legal authority, Alexander said, “No, chairman.”