Claiming to have the backing of the American people, lawmakers argued the Defense Department -- not the Homeland Security Department -- should guard the country against cyberattacks.
Currently, DHS has the lead in protecting private and civil government networks, including critical infrastructure systems such as the power grid and other utilities, but members of the House Armed Services emerging threats and capabilities subcommittee said at a hearing Tuesday that Defense should take the larger role.
Defense officials told the panel that due to privacy and civil liberty concerns, DHS should have the lead in protecting private and civil government networks.
Rep. Mac Thornberry, R-Texas, chairman of the subcommittee, said in his opening statement at the hearing, "The American people expect the Department of Defense to defend the country in whatever domain it is attacked. That means that Cyber Command must be ready, and Congress and the administration must find a way to ensure that it has the legal authorities it needs and at the same time ensure that the constitutional rights of Americans are protected."
Thornberry, in a comment during the hearing, said this hands Congress a constitutional role that the founders of the country never envisioned: "How do we declare war at the speed of light?"
Army Gen. Keith Alexander, commander of the U.S. Cyber Command, and Madelyn Creedon, assistant secretary of Defense for global strategic affairs, both told the hearing that Defense and the Obama administration plan to release within a month refined rules of engagement in cyberspace that will clarify the roles of Defense and DHS.
House Speaker John Boehner, R-Ohio, and House Majority Leader Eric Cantor, R-Va., plan to bring broad cyber legislation to the House floor in April, according to Thornberry. He said development of cyber policy requires the input of not only Congress and the administration but of an increasingly wired public as well.
Thornberry and other members of the subcommittee expressed frustration with the bifurcated roles Defense and DHS have in protecting private networks, particularly those that manage the power grid and other utilities.
Rep. K. Michael Conaway, R-Texas, said in his mind, the dual role that exists today is equivalent to DHS running the North American Aerospace Defense Command to monitor airspace for a missile or aircraft attack, and if such an attack occurs -- an act of war -- turning over response to that attack to Defense.
Rep. Robert Andrews, D-N.J., said due to the speed of operations in cyberspace and the current rules of engagement, an attack will be over by the time DHS detected it and Defense responded. Andrews said if the country is truly concerned about cyberattacks, then Defense should be the "focal point" of any response.
Alexander told the hearing that cyberspace has "become more dangerous" and when it comes to probes and penetrations today, the offense has the upper hand. "Our interconnectedness is now a national security issue" that has the attention of leaders in both Congress and the administration, he said in written testimony.
"We reserve the right to use all necessary means," including military force, to respond to an attack in cyberspace, he added.
Still, Alexander does not believe Defense should take over the cyber roles and missions in the private sector that are currently assigned to DHS. That department should be "the public face" of private sector cyber defense to ensure "protection of civil liberties and privacy," Alexander said in response to a question from Thornberry.
Alexander said Defense also does not have the resources to take over DHS' cyberspace role. "If we did so, it would sap our manpower," he said.
The best way Defense can assist DHS and the private sector is through information sharing of cyber threats, Alexander said. Such sharing started last year with the Defense Industrial Base Cyber Pilot Program sharing classified intelligence with select military contractors and their communications providers, he said.
Creedon, in her written testimony, said Defense is working with DHS to make cyber threat information sharing with defense contractors a permanent program.