Defense and civilian agencies should adopt the same requirements, head of the National Security Agency says.
Civilian agencies should follow the same procedures for protecting their computer networks as the defense and intelligence communities, particularly as information sharing becomes more essential to government operations, a high-ranking intelligence official said on Thursday.
"[The standard] can't be the Defense Department defending the Defense Department," said Lt. Gen. Keith Alexander, director of the National Security Agency, during a keynote speech at the Armed Forces Communications and Electronics Association's cyberspace conference in Washington. "We have to get the same processes and procedures into Homeland Security and other agencies, so they know their [networks] are secure, and when those [networks] touch Defense, we know they're secure."
Operations such as the U.S. Northern Command, established in 2002 to help with homeland defense and coordinate the Pentagon's support of civil authorities, rely increasingly on the exchange of information via computer networks. Proper security protocols need to be in place to ensure vulnerabilities don't pose a threat to sensitive information, Alexander said.
Alexander's comments come on the heels of a report from the Commission on Cybersecurity for the 44th Presidency recommending that the incoming administration propose legislation that eliminates the legal distinction between the technical standards for national security computer systems and those for civilian agency systems. The government should adopt a risk-based approach to computer security based on common requirements for all federal information technology systems, the report said, listing NSA among the agencies that should be involved in the development of such standards.
"What used to be a single avenue of approach is now a network," Alexander said. "We have to learn how to operate jointly," to develop one picture that the federal government can use to manage and protect operations in real time.
Alexander also noted the need for agencies to use both classified and unclassified means of sharing malware signatures -- detailed descriptions of the characteristics and behaviors of malicious software that are typically compiled by antivirus and antispyware tools. That information can then be used to detect vulnerabilities and head off problems, he said.
"The Internet was not developed with a security layer," he said. "We have to build that in. We're almost back to World War II, figuring out what it takes to operate in [a new environment].…We can't do this alone."