The Senate has confirmed Gen. Keith Alexander (promoted from lieutenant general the same day) May 7 as head of the U.S. Cyber Command. He will have his work cut out for him.
"There is a glass," James Miller, principal deputy assistant secretary of defense for policy, told the Defense Department's American Forces Press Service May 12. "It has some water in it. The water is dirty, and we have an insatiable thirst in this area."
In an assessment of the country's cyber-security posture, Miller said the government faces "immense" challenges as it develops a strategy flexible enough to address the diversity of cyber-threats.
"We don't really understand the nature of the threat that we face," he noted. "Over the past decade, we have seen the frequency and sophistication of intrusions into our networks increased. Our networks are scanned thousands of times an hour."
The Defense Department alone has about 15,000 networks, with millions of users in 88 countries.
Another threat comes from outright attacks, Miller said, including denial-of-service attacks, viruses and worms. More than 100 foreign intelligence services are trying to get into Defense Department systems, Miller added, and some foreign militaries are developing offensive cyber-capabilities. Knowing who is delivering them is extremely difficult to pin down, he said, and foes will confront the United States using these cheap, asymmetric tools.
"The linkages between intelligence, offense and defense are particularly important in cyber-operations," Miller said. "The ability to repel attackers is closely tied to the ability to identify them."
The technical challenges of security are only part of the problem, however. During his confirmation hearing, Alexander, who is also director of the National Security Agency, noted that there is "much uncharted territory in the world of cyber-policy, law and doctrine."
"While cyberspace is a dynamic, rapidly evolving environment, what will never change will be an unwavering dedication by both Cyber Command and the National Security Agency to the protection of civil liberties and the privacy of American citizens," Alexander told the committee.
The legal question of when a cyber-incident rises to the level of an attack covered by laws regarding armed conflict is an open question, Miller said. But there is a difference between cyber-espionage and acts meant to degrade U.S. networks or deluge them with false data, he noted.
"There is no way we are going to fully defend against cyber-espionage," Miller said. "And we understand that not everything that happens in cyberspace is an act of war. As we think of the role of cyberspace in supporting military operations, and the role of cyber-attacks as ... the front end of a kinetic military attack, then we would think about the potential for responses that are not limited to the cyber-domain."