Senators worried about policy gap for new Cyber Command

The Defense Department faces a policy gap in establishing a new command overseeing cyberspace, the chairman of the Senate Armed Services Committee charged on Thursday.

During a hearing on the nomination of Army Lt. Gen. Keith Alexander, director of the National Security Agency, to run the U.S. Cyber Command, Sen. Carl Levin, D-Mich., said committee members examined myriad issues surrounding operations in cyberspace and concluded that "capabilities to operate in cyberspace have outpaced the development of policy, law and precedent to guide and control those operations."

Defense planned to set up the command by Oct. 1, 2009, to conduct defensive and offensive operations in cyberspace. But establishing its operations and confirming a commander have been delayed because the Armed Services Committee "proceeded methodically to gain an understanding of what the Congress is being asked to approve and what the key cyberspace issues are that need to be addressed," Levin said.

That policy gap is worrisome "because cyber weapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects, depending on how they are designed and used," he said.

Because the U.S. economy and government are more dependent on the Internet than any other nation's, the United States "must not only invest in the effectiveness of its defense but must think carefully about the precedents it sets, acting wisely in ways that we will accept if others act in the same or similar ways," Levin noted.

Alexander agreed that Congress must clarify numerous cyber policies and doctrine. For example, he said a response to a cyberattack from a neutral country could require a presidential decision.

Asked by Levin how the Cyber Command would respond to an attack thought to originate from computers owned by U.S. citizens, Alexander said it would require a balance between civil liberties, privacy concerns and the need "to take care of bad actors."

Sen. Mark Udall, D-Colo., said he was concerned that the command could possibly violate civil liberties when responding to attacks and invoked one of Ben Franklin's famous quotes, "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

NSA provides technical support to the Homeland Security Department to help defend federal networks outside Defense, but because those systems are operated and owned by companies, the Cyber Command faces possible jurisdiction issues when working with industry during an attack, Alexander said. Levin asked him to provide the committee with a list of policy changes needed to support the command.

Alexander emphasized in his testimony the command's defense of cyberspace, not its offensive capabilities. He assured lawmakers that setting up the organization would not lead to the militarization of cyberspace but rather a better way to defend networks. But in a written response to questions from the committee, Alexander said the command also would conduct offensive operations against a military and civilian targets. These include military command and control networks; air defense networks, power grids, and transportation and telecommunications networks -- the same targets that could be subject to cyberattacks in the United States.