The director of the National Security Agency made a fresh appeal Monday for cybersecurity legislation to enable the sharing of threat data between the private sector and the government, asserting that the NSA and other agencies were not interested in reading Americans’ e-mails.
Gen. Keith Alexander, who also heads U.S. Cyber Command, said such data-sharing was necessary if the NSA and Cyber Command are to defend the nation against a cyberattack from a foreign adversary. A major concern among civil liberties advocates is that data turned over to the government might violate citizens' privacy
“The key thing in information sharing that gets misunderstood is...we're not talking about taking our personal e-mails and giving those to the government,’’ Alexander said to an audience at the American Enterprise Institute.
Rather, he said, the information sought is more technical, such as the Internet Protocol address the malware was coming from, or the computer port number it passed through. Also crucial, he said, is to have that data at “network speed,” or as it is being detected. “If we know it at network speed, we can respond to it,” he said.
Exactly what Cyber Command or any other government agency might do, and the rules and authorities that govern such actions are being debated now, he said.
Several cybersecurity bills are pending in Congress, with Senate leadership expressing the intent to bring a package of cyber legislation to the floor this month. Senate Democrats and Republicans are hashing out a compromise on that legislation, which includes an effort to require critical private sector industries such as power, water and transportation, to set and meet network security standards
On Monday, Alexander also said that standards were necessary, but “the hard part” was figuring out how to set them. He pointed as a possible model to the SANS Institute's 20 Critical Security Controls, a set of baseline measures that federal and commercial information security officers came up with under the auspices of the SANS education and research institute.
He acknowledged the uphill battle the legislation faces in an election year. But he said he did not want to face the alternative: acting in a crisis, and having to get “hauled down” to the Hill to explain why the government was not able to prevent a major cyberattack.