By Ellen Nakashima
Washington Post Staff Writer
Sunday, January 3, 2010; A04
The Pentagon's plan to set up a command to defend its global network of computer systems has been slowed by congressional questions about its mission and possible privacy concerns, according to officials familiar with the plan.
As a result, the Defense Department failed to meet an Oct. 1 target launch date and has not held a confirmation hearing for the command's first director.
Although officials stress that the cyber command, as it is known, is an effort to consolidate existing offensive and defensive capabilities under one roof and involves no new authorities or broadening of mission, its potential for powerful new offensive capabilities -- some as yet unimagined -- have raised questions on Capitol Hill about its role, according to national security experts familiar with the concerns.
Key questions include: When do offensive activities in cyberspace become acts of war? How far can the Pentagon go to defend its own networks? And what kind of relationship will the command have to the National Security Agency?
The NSA has the skills and authority to encrypt military secrets and break enemy codes, but its involvement in the controversy over warrantless wiretapping several years ago has raised concerns about any role it will play in a cyber command.
Resolving questions about the command's mission are central not only to the effort to defend military networks, which come under assault millions of times a day, but to establishing the Pentagon's cyber strategy as the United States enters an era in which any major conflict will almost certainly involve an element of cyberwarfare.
"I don't think there's any dispute about the need for Cyber Command," said Paul B. Kurtz, a cybersecurity expert who served in the George W. Bush and Clinton administrations. "We need to do better defending DOD networks and more clearly think through what we're going to do offensively in cyberspace. But the question is how does that all mesh with existing organizations and authorities? The devil really is in the details."
Officials said the initial operating plan for a cyber command is straightforward: to merge the Pentagon's defensive unit, Joint Task Force-Global Network Operations, with its offensive outfit, the Joint Functional Command Component-Network Warfare, at Fort Meade, home to the NSA. The new command, which would include about 500 staffers, would leverage the NSA's technical capabilities but fall under the Pentagon's Strategic Command.
The plan also calls for beefing up "intelligence sensing," or the blocking of malicious software and codes entering military networks, officials said.What level of defense?
But the plan becomes more complicated as policymakers assess how aggressive to be in their defense of military networks.
Data move at the speed of light along channels owned by commercial carriers, entering government networks at "gateways," or at the perimeter. Technology exists to detect malware at the gateways and in the commercial networks, but the ability to use that technology has given rise to policy questions.
One senior defense official said officials are trying to figure out, for instance, to what extent it is legal and desirable to remove malware outside the gateways as it heads to military networks.
"What can you do at the perimeter?" he said. "What can you do outside the perimeter? We haven't had resolution on that."
Privacy advocates are sensitive to government monitoring of communications networks at or just outside the gateways, particularly if the effort involves private Internet carriers, out of concern that purely private, non-government communications could be monitored. But defense officials said they are not contemplating the involvement of private firms.
The Pentagon is working with the Justice Department, the Department of Homeland Security, the White House and other agencies to ensure its efforts are legal and synchronized within a national cyber-policy framework, officials said. Congressional buy-in is important, they said. So far congressional staff have been briefed three times, and the Pentagon hopes to brief lawmakers this month.
Officials said members of the Senate Armed Services Committee will hold the confirmation hearing for a new director once staff are satisfied they understand the command's purpose and operating plan.
"Our goal here is to better protect our forces," said Deputy Assistant Secretary of Defense Robert J. Butler. "If someone can intrude inside the network, it could impair our ability to communicate and operate."
President Obama has nominated the director of the NSA, Lt. Gen. Keith B. Alexander, to head the command. Alexander, who would become a four-star general, must be confirmed in that position before the command can launch at "initial operating capability." It is scheduled to become fully operational by Oct. 1.
Sen. Bill Nelson (D-Fla.), chairman of the Armed Services emerging threats subcommittee, said that though there are "some policy questions" to be answered, he was confident Alexander would be confirmed.
Nonetheless, the NSA's involvement, given the past controversy, has raised questions of oversight.
"How do we make sure that if the National Security Agency is involved, that we don't have a problem with people seeing other people's information?" the defense official said, describing one congressional concern. "We've made it very clear. No information will be shared other than to support what we need to defend the networks -- the defense military information networks. The rest of that information, NSA is bound by legal rules" to protect Americans' privacy.Defining 'defense'
NSA Deputy Director Chris Inglis said in a recent interview that "90 percent" of the command's focus will be on defensive measures because "that's where we are way behind."
"If we led with attack, people would say, 'That's just nuts. That's completely irrational,' " he said. "You've got to be about the defense."
Other intelligence experts, however, said that the term "defense" is malleable. They argue that the government is spending a significant amount of money on classified cyber programs to develop offensive capabilities.
Beyond a cyber command, the Pentagon is grappling with a dizzying array of policy and doctrinal questions involving cyber warfare.
Who should authorize a cyber attack on an adversary that might be capable of undermining the United States' financial system or energy infrastructure? What degree of certainty is needed about an alleged attacker before authorizing a response? When does an effort to defend a U.S. military network cross the line into an offensive action?
Many of these questions will be answered down the road, after the command is launched, and perhaps some won't be answered for years, defense officials said.
Still, such issues are important ones, said one official familiar with the Pentagon's plans, who was not authorized to speak for the record. "The rules can vary dramatically depending upon under what authority you're doing something," he said. "An offensive action is not a decision that can be taken very lightly. It is an extraordinary action because of the consequences that could result for either DOD or the intelligence community or critical U.S. industries."