recommended reading

Congress, administration grapple with cyber defense authority

The head of the military unit overseeing cyberspace reaffirmed that the U.S. Cyber Command cannot monitor civilian networks, noting its powerlessness over systems outside the .mil domain might require congressional action.

"I do not have the authority to look at what's going on in other government sectors, nor what would happen to critical infrastructures. That means that I can't stop [an assault on nonmilitary networks]," Cyber Command chief Gen. Keith Alexander said during remarks at a University of Rhode Island symposium on the increasing threat of cyberattacks.

The division of responsibility between the Pentagon and the Homeland Security Department is at the center of a debate on cybersecurity legislation. DHS currently keeps an eye on vulnerabilities in the .gov and other civilian domains, while the Defense Department has visibility only into .mil networks. The White House has yet to weigh in on how to empower Defense to avert a potential cyberwar without running astray of civil rights and privacy laws. But Alexander offered hints about what the Pentagon might be pushing the Obama administration to consider.

"Civil liberties and privacy are not [upheld] at the expense of cybersecurity," he said. "They will benefit from cybersecurity." With the proper oversight from the administration and Congress, the military would be held accountable for any transgressions, Alexander added.

Alexander, who also serves as National Security Agency director, noted the Pentagon and DHS presently are sharing information, security equipment and staff at an NSA office, under the guidance of legal counsel and privacy officers.

He does not expect an imminent cyberattack by a nation state against the United States, but the country must be prepared for the day when adversaries take to the Web to destroy the U.S. power grid, derail electronic stock exchanges, or shut down online communications, Alexander said.

Cyberspace is a domain that must be protected like the air, land and sea, "but it's also unique in that it's inside and outside military, civilian and government" domains, he said. Military forces "have to have the ability to move seamlessly when our nation is under attack to defend it . . . the mechanisms for doing that have to be laid out and agreed to. The laws don't exist in this area."

In March, Rep. James R. Langevin, D-R.I., who chairs the Congressional Cybersecurity Caucus, introduced a bill, H.R. 1136, that would create a cybersecurity review board with representation from civilian agencies, Defense and the White House. The measure has backing from Rep. Roscoe Bartlett, R-Md., a senior member of the Armed Services Committee.

"There is no one single person or office leading our government's efforts to keep our networks safe," Langevin said during the event. "My proposal establishes one national office to oversee cybersecurity, while ensuring the government and military can acquire the best technology and undergo regular reviews to evaluate their performance."

Sen. Sheldon Whitehouse, D-R.I., in recent weeks has pressured the administration to deliver to Congress a proposal for cyber reforms. Whitehouse, who also attended the forum, said last week lawmakers have been unable to act on network security legislation because they haven't received direction from the White House on assimilating the multiple cyber bills under consideration in both chambers.

The administration "will soon be prepared to reengage with Congress on this issue," said Whitehouse, chairman of the Judiciary Subcommittee on Crime and Terrorism, who also attended the forum.

"We hope to do a major bill this year," he added, noting that Langevin's bill "will be an important and foundational document."

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.