Lt. Gen. Keith Alexander told the Senate Armed Services Committee April 15 that he would work to protect the privacy rights of Americans-even as he noted the amount of uncharted territory in cyber-law.
Currently director of the National Security Agency, Alexander has been nominated by President Obama to head the U.S. Cyber Command. The Cyber Command is a subordinate unified command under the U.S. Strategic Command, and was created in 2009 to protect Department of Defense networks and coordinate the country's cyber-warfare operations.
If confirmed, Alexander's main goal would be to build "the capacity, the capability and the critical partnerships required to secure our military's operational networks," he told the committee. This position, he said, is not about trying to "militarize cyberspace," but about safeguarding the integrity of the military's critical information systems.
However, the complexities of securing cyberspace were not lost in the discussion. Alexander noted that it is much more difficult to distinguish neutral countries and adversaries in cyber-war than in physical war, because a "cyber-attack could bounce through a neutral country."
Sen. Carl Levin, chair of the committee, questioned how Cyber Command would react in the event of a cyber-attack on the country's utilities that originated overseas but made use of computers in the United States.
Alexander said that scenario would primarily be the responsibility of the Department of Homeland Security, which is tasked with protecting the nation's civilian infrastructure, but the Cyber Command would get involved if asked for support.
"The issues now though are far more complex because you have U.S. persons, civil liberties, privacy all [coming] into that equation ...while you try to, on the same network, take care of bad actors," he said.
In an e-mail to eWEEK, Patrick Gorman, former Associate Director of National Intelligence at the Office of the Director of National Intelligence, said properly identifying who attacked and from where, as well as the impact of the attack, are key elements of a sound cyber-security policy.
"Taking action means [using] defensive means as well as offensive means," said Gorman, now a principal at consulting company Booz Allen Hamilton. "If a missile were fired at the United States, we would not hesitate to intercept the missile, regardless of who fired it. On the other hand, retaliation requires attribution and a proportionate response. So exact and certain attribution should not preclude a prompt and proportionate response to defend government networks and critical infrastructure."
Though Alexander said there is "much uncharted territory in the world of cyber-policy, law and doctrine," he stressed that the Cyber Command would respect the privacy rights of Americans.
"While cyberspace is a dynamic, rapidly evolving environment, what will never change will be an unwavering dedication by both Cyber Command and the National Security Agency to the protection of civil liberties and the privacy of American citizens," Alexander said.
"We face a growing array of cyber-threats from foreign intelligence services, terrorists, criminal groups and individual hackers who are capable of stealing, manipulating or destroying information that could compromise our personal and national security," he told the committee. "The Department of Defense in particular requires a focused approach to secure its own networks, given our military's dependence [on those networks] for command and control, logistics and military operations."