The military's top cyber official this week made an urgent appeal for Congress to pass computer-security legislation, warning that the current legal framework discourages private-sector firms from sharing vital information about looming threats to the relevant government agencies and other businesses.
In remarks at a security conference hosted by Georgia Tech, Gen. Keith Alexander, the director of the National Security Agency and commander of U.S. Cyber Command, urged lawmakers to craft a statute that provides for an information-sharing system that would incorporate personal-privacy and civil-liberties protections while shielding businesses from liability for sharing sensitive threat data.
Alexander describes the current system for cybersecurity as fragmented, where different infrastructure operators monitor their narrow portion of the Internet ecosystem, while none has a holistic view. Through an act of Congress, Alexander envisions a system of automated information exchanges where threat information packaged in a "metadata-like format" is sent between businesses and government authorities at "network speed."
"I know the public thinks that we see everything. The reality is that we don't. So if Wall Street is going to be attacked, or is attacked, the chances of me seeing it ... are limited."
Gen. Keith Alexander
Director of the National Security Agency
and commander of U.S. Cyber Command
Information sharing is hardly the final solution to a complex and ever-changing set of threats, he admits, though he suggests that there may be no more critical starting point in the cybersecurity policy discussion.
"We need a way of seeing what's going on. So situational awareness in cyberspace is one of the most difficult issues," Alexander says.
"From my perspective, there's a lot of things that we need to do as U.S. Cyber Command, but first and perhaps the most important issue that I'll put on the table: We need legislation," he adds. "Why do we need legislation? Government does not see attacks on Wall Street. I know the public thinks that we see everything. The reality is that we don't. So if Wall Street is going to be attacked, or is attacked, the chances of me seeing it ... are limited."
Alexander's remarks came as the latest in a series of calls from senior administration and military officials for Congress to take up cybersecurity legislation. Already this year several committees have convened hearings, and various bills and draft proposals have been circulating on Capitol Hill.
Cybersecurity Policy Privacy Concerns
A central tenet of many of those proposals has been the information-sharing element that Alexander says is so crucial. Yet at the same time, privacy and civil-liberties advocates have raised concerns that bills like the bipartisan-backed Cyber Information Sharing and Protection Act (CISPA) could funnel troves of personal information about Internet users to the government with insufficient accountability and oversight.
For Alexander, the privacy concerns are real and necessary, but hardly an insurmountable obstacle.
"Right now, the ability to share real-time information and threat information is complicated and there are legal barriers to it. We have to overcome that. Now, I'm not talking about sharing personally identifiable information. We don't need that. We just need to share threat information on malicious software and the problems we see on equipment," Alexander says.
Cybersecurity Policy Legal Liability Concerns
Another critical aspect of enacting an effective information-sharing regime will involve shield provisions to protect companies that participate in good faith from legal liability, according to Alexander. Companies must have every incentive to share threat information with the relevant authorities for such a program to operate effectively, he argues, and that would necessarily include meaningful liability safeguards.
"We need to protect them from lawsuits. Where's the liability protection that comes in there? We've got to get that right," Alexander says.
While the discussion over information sharing raises sharp concerns from civil liberties groups, the notion that a more fluid exchange of threat data could improve the nation's security posture is itself less controversial.
That helps explain why a bill like CISPA takes a fairly narrow focus on that one aspect of the debate, while shying away from the more comprehensive approach that some recent proposals in the Senate have contemplated.
A key fault line in those discussions has been the extent to which the federal government should involve itself with oversight of the security systems in place to protect critical private-sector systems.
Alexander acknowledges that federal oversight is a thorny issue, and stressed that infrastructure operators in different sectors can't all be held to a uniform standard that would pave over significant distinctions in their systems and industries. In that light, he praised the executive order that President Obama issued earlier this year for its effort at beginning a dialogue between the government and private-sector firms to help encourage a greater understanding of the nuances of different industries and the security challenges they face.
"Where this gets really hard is when we say now we want to set standards and reporting vehicles. The first thing that everybody gets really nervous about is [that] they're going to set up a framework that's going to be a bureaucratic nightmare. And the answer is, this is hard," Alexander says. "How do you establish standards across the country where all the different sectors are at different levels of compliance and everyone looks at the network differently? And the answer is, that's almost impossible to do ..."
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.