Cyber Command chief proposes secure network for government, key industries
The commander of the new Pentagon unit charged with protecting the military's computer networks wants to create a "secure" network for government computer systems and those of critical industries, such as power and water.
That strategy of walling off critical computer networks from the rest of the Internet "is probably where you're going to get to, and it makes a lot of sense," said Army Gen. Keith B. Alexander, who heads the recently launched U.S. Cyber Command. Alexander also directs the National Security Agency, which conducts electronic surveillance on foreign targets.
Alexander is testifying before the House Armed Services Committee Thursday morning on the role of the Cyber Command in defending its networks and helping to secure those of the critical private industries.
In remarks to reporters Wednesday, he said that adequately securing the critical systems likely will require the formation of a team including the FBI, Department of Homeland Security and the Department of Defense. Each agency has its own authorities - the FBI to investigate crimes such as computer hacking, for instance. DHS is the lead agency in working with the critical sectors. The Defense Department currently has authority to defend only its own networks but may assist DHS if asked, Alexander said.
The White House is conducting a review to determine the best approach and whether it will require Congress to grant new authorities, he said.
Creating what some have called a dotsecure is not a new idea. Several companies proposed it in 2005, but it did not gain traction. The former director of national intelligence, Mike McConnell, advocated it earlier this year. And in a floor speech in July, Sen. Sheldon Whitehouse (D-R.I.) drew an analogy to medieval castles protecting water wells and granaries and asked, "Can certain critical private infrastructure networks be protected now within virtual castle walls, in secure domains where those pre-positioned defenses could be both lawful and effective?"
Such an undertaking would have to be done "in a transparent manner, subject to very strict oversight," Whitehouse said. "But with the risks as grave as they are, this question cannot be overlooked."
But some in industry were skeptical of the notion.
It would be impractical and "unbelievably expensive," said Joe Weiss, a cybersecurity expert for control systems in critical industries. He said he researched the concept of a secure "Utility Net" in 2001-2002 for the Electric Power Research Institute.
"It would be very difficult to try to interconnect all these different companies, including the government," Weiss said. "This isn't just one entity where you walk a wire around Potomac Electric. You have all the neighboring utilities that you need to connect to. You would also have all the other major industrial operations - and with Smart Grid, conceptually, every home-owner. This is not simple."
Whatever the solution the Obama administration puts forward for safeguarding the private sector, Alexander said, it will have to involve the companies.
"If we're going to defend networks that are owned and operated in part by industry, the solution can't be a government-only solution," he said. "It has to be joint. How do you do that? That's the key issue."
He added, "There is a real probability that in the future this country will get hit with a destructive attack, and we need to be ready for it."