Gen. Keith Alexander, head of the U.S. Cyber Command, called for the establishment of clear rules of engagement for cyberspace as the country deals with the prospect of "remote sabotage."
Alexander spoke June 3 before an audience at the Center for Strategic and International Studies, a think tank in Washington, DC. In comments to the crowd, Alexander, who is also director of the National Security Agency (NSA), said the realities of securing the Internet require the government have a framework in place to guide its responses to attacks.
"What the department is looking at," he said, "are what are the standing rules of engagement that we have? Do those comport with the laws, the responsibilities that we have? Can we clearly articulate those so that people know and expect what will happen? And I think we have to look at it in two different venues, what we're doing here in peacetime and what we need to do in wartime to support those units that are in combat."
He noted there may need to be different sets of rules governing U.S. responses in different situations, such as a direct attack from a country the U.S. is at war with or an adversary using a neutral country to bounce their attack through.
"It's not unlike warfare, where...you have armed conflict going in one state and somebody attacks from a neutral state," he said. "There are laws of land warfare that deal with that. We now have to look at that in light of cyberspace."
Increasingly, systems are being targeted for remote sabotage, as opposed to distributed denial-of-service attacks like those that targeted Georgia and Estonia a few years ago, he said. Dealing with the threats will require a "unity of effort" and "a commitment of dedicated resources," he said.
Alexander officially took the reigns for the Cyber Command May 7. In April, Alexander told the Senate Armed Services Committee Cyber Command would not seek to -militarize' the Internet. He reiterated however that the government would look to strike a balance between national security and civil liberties.
"The hard part," he explained, "is we can't go out and tell everybody exactly what we did or we give up a capability that maybe extremely useful in protecting our country and our allies...You say, -I'm defending my computer system using the following steps: one, two, three, four.' The adversary will say, -thank you, one, two, three, four, now I know how to get around it,' and within a day, they're through. That's the problem that we face, and so I think the real key to the issue - how do we build the confidence that we're doing it right with the American people, with Congress and everybody else?"