In the world of cybersecurity, a question of who's in charge
WASHINGTON — In a nationally televised cyberwar game earlier this year, it took “about four minutes” for the Department of Homeland Security to ask the Pentagon to take the lead in defending the nation, according to former CIA director Gen. Michael Hayden. In military circles, there is a widely held perception that during a real cyberattack, the Pentagon and its Cyber Command would take the lead in a federal government response.
In reality, it remains far from clear who will be in charge.
Almost 16 months after President Barack Obama declared cybersecurity a “national security priority,” critics from Congress to private industry say the White House has dragged its feet in developing a hierarchy of authority that intelligence leaders say is badly overdue. The Pentagon, many believe, has not sufficiently asserted its claim to those powers.
But on Thursday, Gen. Keith Alexander, commander of U.S. Cyber Command and the National Security Agency, told the House Armed Services Committee that he needs two things: money and authority.
“Right now, the White House is leading a discussion on what are the authorities needed and how do we do this and ... how will that team operate to defend our country?” he said.
While there is plenty of discussion, there are few decisions.
A small coordinating team is figuring out who will respond to cyberattacks, ranging from a shutdown of privately run power grids to destructive halts of battlefield command networks, Alexander said.
But don’t expect the military to protect the nation’s critical computer infrastructure yet.
Rep. Jim Langevin, D-R.I., asked: “If the nation were to endure a major cyberattack right now, could you defend the nation against that attack? Do you have the authorities to defend the nation against that attack?”
“It is not my mission to defend, today, the entire nation,” Alexander replied. “Our mission at Cyber Command is to defend the Defense Department networks. If we are tasked by either the [defense] secretary or the president to defend those networks, then we’d have to put in place the capabilities to do that.”
Ultimately, Congress will provide the legal framework the administration needs for cybersecurity. Still, there is much to sort out among several committees that claim oversight roles.
With the clock ticking on the current session, and November elections approaching, many observers believe it is unlikely Obama will receive a cybersecurity bill this year.
To have a chance, Congress this fall must reconcile several bills that would be among the first to spell out necessary authorities for federal agencies.
Two nonmilitary committees have staked claims for their federal agencies. The House passed the Energy and Commerce committee’s Cybersecurity Enhancement Act of 2010 in February. But its Senate version remains stalled in committee. It would allocate authority to some agencies but does not address security concerns like the power grid.
In June, the Senate Homeland Security and Government Affairs committee passed a wider bill that gives sweeping authority to more than a dozen government agencies, creates a National Center for Cybersecurity and Communication, and provides the president a “kill switch” to shut down huge sections of the Internet in a cyberattack. A Senate aide who helped write the latter bill said their team “consulted” with some Pentagon staffers, but thought the role of the military’s Cyber Command was out of their jurisdiction and best left for the armed services committee.
That bill stalled as well.
No cybersecurity bill has emerged from either armed services committee, though they have granted the Pentagon some expanded cybersecurity authorities it requested in recent years. But as the White House interagency sorting continues, the Pentagon has not put forth a wish list of what government-wide responsibilities it wants to keep under it’s control, a second senior committee aide said.
“Nothing like that has come over from the president or from any other of the executive agencies, up to this point,” the aide said. “They’re just behind the power curve, really.”
Gen. Kevin Chilton, head of Strategic Command, said this month that though the DOD might not be in the lead, its contributions will be critical.
“I can’t help but think there will be an important role for the DOD to support any organization in our government and team with them,” he said. “But the operative word here is ‘support.’”
“One thing I know for sure, and that is, as a minimum, if someone were to attack critical infrastructure in the United States of America, that the president and the secretary of defense will turn to [STRATCOM] and depend on us and the rest of the military to do something about it,” he said.
On Friday, a Defense Department spokesperson said, “There is currently an internal interagency process underway to determine whether new authorities will be required in the future to effectively defend the nation from cyber attack. DOD is taking an active role in that process while continuing to discuss these issues with our committees of jurisdiction.”
Jennifer Kohl, a House Armed Services Committee spokeswoman, said she doesn’t believe the Pentagon is taking a secondary role.
“A policy decision was made long ago to have DHS in charge of the civilian networks, and DOD supports the national policy,” Kohl said in an e-mail Friday. “DOD is also already at a better starting position, so it makes sense to place emphasis on areas where the nation is weakest, such as civilian networks. The Pentagon seems to be positioning itself well, in that it doesn’t necessarily want to be in charge, but it also wants to be clear on expectations and authority to execute.”
But David Bodenheimer, a homeland security attorney in Washington and co-chair of the American Bar Association’s Cybersecurity Committee, said he can’t figure out why the Pentagon doesn’t want to be in charge. Earlier this year, Bodenheimer called for more robust military cybersecurity leadership this year before the House Subcommittee on Terrorism, Unconventional Threats and Capabilities.
“I thought in February maybe the Department of Defense or at least the armed services committees would at least take a swing,” he said. “As an old Navy guy, I was disappointed.”
CYBERCOM is scheduled to be fully operational by October, and at Thursday’s hearing Alexander said his command staff is set. But it will take more time to build the cyber force of about 1,000 personnel slots allocated the command.
Already, the military has deployed an “expeditionary cybersupport element” to Afghanistan, he revealed, to protect military networks in that region.
“We’re not where we need to be in terms of setting all the things in place, but we’ve come a long ways,” he said. “And I think we’re making progress in that area.”
But defending civilian infrastructures like the U.S. power grid, he said, “would rely heavily on commercial industry,” until more legal authorities and partnerships with private companies can be further established.
Additionally, securing civilian computer systems without disrupting everyday online activities presents a challenge that, like many issues facing Alexander, has no easy answer.
“You could come up with what I would call a secure zone, a protected zone, that you want government and critical infrastructure to work in that part,” Alexander said. “The question is, how are we going to do it?”