White House hasn't yet signaled how it might empower the Pentagon to avert a cyberattack on civilian networks.
The head of the military unit overseeing cyberspace reaffirmed that the U.S. Cyber Command cannot monitor civilian networks, noting its powerlessness over systems outside the .mil domain might require congressional action.
"I do not have the authority to look at what's going on in other government sectors, nor what would happen to critical infrastructures. That means that I can't stop [an assault on nonmilitary networks]," Cyber Command chief Gen. Keith Alexander said during remarks at a University of Rhode Island symposium on the increasing threat of cyberattacks.
The division of responsibility between the Pentagon and the Homeland Security Department is at the center of a debate on cybersecurity legislation. DHS currently keeps an eye on vulnerabilities in the .gov and other civilian domains, while the Defense Department has visibility only into .mil networks. The White House has yet to weigh in on how to empower Defense to avert a potential cyberwar without running astray of civil rights and privacy laws. But Alexander offered hints about what the Pentagon might be pushing the Obama administration to consider.
"Civil liberties and privacy are not [upheld] at the expense of cybersecurity," he said. "They will benefit from cybersecurity." With the proper oversight from the administration and Congress, the military would be held accountable for any transgressions, Alexander added.
Alexander, who also serves as National Security Agency director, noted the Pentagon and DHS presently are sharing information, security equipment and staff at an NSA office, under the guidance of legal counsel and privacy officers.
He does not expect an imminent cyberattack by a nation state against the United States, but the country must be prepared for the day when adversaries take to the Web to destroy the U.S. power grid, derail electronic stock exchanges, or shut down online communications, Alexander said.
Cyberspace is a domain that must be protected like the air, land and sea, "but it's also unique in that it's inside and outside military, civilian and government" domains, he said. Military forces "have to have the ability to move seamlessly when our nation is under attack to defend it . . . the mechanisms for doing that have to be laid out and agreed to. The laws don't exist in this area."
In March, Rep. James R. Langevin, D-R.I., who chairs the Congressional Cybersecurity Caucus, introduced a bill, H.R. 1136, that would create a cybersecurity review board with representation from civilian agencies, Defense and the White House. The measure has backing from Rep. Roscoe Bartlett, R-Md., a senior member of the Armed Services Committee.
"There is no one single person or office leading our government's efforts to keep our networks safe," Langevin said during the event. "My proposal establishes one national office to oversee cybersecurity, while ensuring the government and military can acquire the best technology and undergo regular reviews to evaluate their performance."
Sen. Sheldon Whitehouse, D-R.I., in recent weeks has pressured the administration to deliver to Congress a proposal for cyber reforms. Whitehouse, who also attended the forum, said last week lawmakers have been unable to act on network security legislation because they haven't received direction from the White House on assimilating the multiple cyber bills under consideration in both chambers.
The administration "will soon be prepared to reengage with Congress on this issue," said Whitehouse, chairman of the Judiciary Subcommittee on Crime and Terrorism, who also attended the forum.
"We hope to do a major bill this year," he added, noting that Langevin's bill "will be an important and foundational document."