By Ellen Nakashima
Washington Post Staff Writer
Wednesday, May 6, 2009
The Pentagon is considering whether to create a new cyber-command that would oversee government efforts to protect the military's computer networks and would also assist in protecting the civilian government networks, the head of the National Security Agency said yesterday.
The new command would be headquartered at Fort Meade, the NSA's director, Lt. Gen. Keith B. Alexander, told the House Armed Services terrorism subcommittee.
Alexander, who is a front-runner to assume control of the command if it is created, said its focus would be to better protect the U.S. military's computers by marrying the offensive and defensive capabilities of the military and the NSA.
Through the command, the NSA would also provide technical support to the Department of Homeland Security, which is in charge of protecting civilian networks and helps safeguard the energy grid and other critical infrastructure from cyber-attack, Alexander said.
He stressed that the NSA does not want to run or operate the civilian networks, but help Homeland Security improve its efforts.
"So if we develop something we're going to use for the Defense Department, it makes no sense for [Homeland Security] to develop the same thing," he said in a short interview after the hearing. "They can leverage it . . . We have great technical people. We can provide them the support."
His remarks come as the White House is preparing to release a report based on a review of the government's cyber-security initiatives. The cyber-command idea was raised in a letter last year by then-Director of National Intelligence Mike McConnell to Defense Secretary Robert M. Gates.
As proposed by the Pentagon, the command would fall under the U.S. Strategic Command, which is tasked with defending against attacks on vital interests.
The NSA, which drew fire for its role in the Bush administration's program to monitor without a warrant Americans' e-mails and phone calls, has "phenomenal depth and expertise far beyond what is there at DHS," said Amit Yoran, a former top DHS cyber-security official now in the private sector.
But Yoran cautioned that the effort must be transparent. "DHS needs to be very, very cautious about its participation in a program like that because you could fundamentally erode the trust DHS needs in order to be successful in its broader security mission."
Any effort involving the NSA that goes beyond protecting the military networks requires careful legal analysis, he said.
Alexander said a host of questions must be resolved for the military and intelligence community to broaden their partnerships with other entities. "What is the framework for sharing threat signatures that are classified? How do we do it at network speed so that it's defensible? What's that legal framework and what's that operational framework? Those are areas that technically are easier to do than to set the legal framework up."
Already, he said, DHS officials have been invited to see how the NSA runs its cyber-security, he said. The idea would be to formalize that partnership.
"We could say, 'Here's the path we're going down,' " he said. "They can choose their own path, but at least they know one that's been tried and the problems and issues we've had."
To truly address the cyber-threat, the military must boost its partnership with the private sector as well as with DHS, he said at the hearing.
But the path forward has obstacles, he acknowledged. Say the NSA discovers a malicious computer code that an adversary is using, he said. If the government shares that classified information with, say, the antivirus industry, "how do we ensure that it's not given out so widely that our adversaries have it?" he said.