Alexander: U.S. Must Address Media Leaks, Cyber Legislation

By Cheryl Pellerin

American Forces Press Service

WASHINGTON, Mar. 7, 2014 – Leaks to the media of classified information and the need for cyber legislation were key elements of a speech this week by Army Gen. Keith B. Alexander, commander of U.S. Cyber Command and director of the National Security Agency.

“What's going on in media leaks directly affects our ability to get cyber legislation,” Alexander told an audience at Georgetown University, “and we have to address both as a nation and amongst nations. We've got to get this right.”

Recent media leaks include those by former NSA contractor Edward Snowden, who last year fled the United States for temporary asylum in Russia, after stealing 1.7 million intelligence files from NSA concerning the agency’s surveillance activities and later disclosing thousands of documents to reporters at London’s Guardian newspaper and the Washington Post.

The Justice Department has since charged Snowden, now a fugitive, with espionage and theft of government documents. The massive leak launched a continuing public debate, a presidential review of NSA intelligence-collection practices, and a range of intelligence reforms announced Jan. 17 by President Barack Obama.

On media leaks, Alexander offered his own perspective on a Feb. 19 ruling by a British high court against David Miranda, the partner of Guardian journalist Glenn Greenwald who had published articles and was planning to produce more stories based on Snowden’s stolen NSA data.

Miranda was detained for nine hours Aug. 19 after two British counterterrorism-unit police officers searched him at Heathrow Airport and found he was carrying encrypted material derived from NSA data stolen by Snowden.  He was held under the authority of paragraph 2(1) of Schedule 7 of the United Kingdom Terrorism Act 2000, and filed an application for judicial review of the detention, which he said took place without legal authority.

On Feb. 19, a court dismissed Miranda’s application.

“We’re now in an interesting situation as a nation,” Alexander said of the wide-ranging debate over the Snowden leaks, adding that the U.K. justices in the Miranda case determined that “journalists have no standing when it comes to national security issues.”

In the Miranda case, the British court found that journalists have a “professional responsibility to take care so far as they are able to see that the public interest, including the security of the state and the lives of other people, is not endangered by what they publish.”

But the court called such a safeguard inadequate for lives and security because of what was described as the “jigsaw” nature of intelligence information -- a range of data and facts pieced together over time by different agencies -- and because journalists have their own take on what serves the public interest, and added that “constitutional responsibility for the protection of national security lies with elected government.”

“I just put that on the table,” Alexander said, “because that’s a key issue that we as a nation are going to face.”

The general said the leaks have caused “grave, significant and irreversible damage to our nation and to our allies. It will take us years to recover from it. In some areas like terrorism, I feel like someone else is going to pay the price for what’s [been] done.”

The latest large distributed-denial-of-service attacks, one in May and one in June 2013, Alexander said, caused more than $180 million in damage to systems in South Korea.

“There is a great need for our nation to get cyber legislation and work with other nations [to] set up norms” to help defend against the rising number of adversaries.

Media leaks have made it necessary to address such issues as a nation, the general said, including public discussion in the United States about what the government should and should not do as part of its cyber security responsibilities.

Alexander said that in preparation for an evolving cyber future, Cyber Command is working on five priorities:

-- Establishing a defensible architecture -- a thin virtual cloud architecture that turns the advantage to those who defend the networks and that offers the ability to fix vulnerabilities at network speed.

-- Maintaining a trained and ready force by educating everyone, including those at Cyber Command, to the high standard used for NSA’s elite forces.

-- Establishing cyberspace operational concepts and command and control for the many teams operating there. Alexander said Cyber Command is working on virtual and physical command and control, and streamlining command and control from the president and defense secretary to Cyber Command and others.

-- Developing shared situational awareness in cyberspace as a way to visualize it and everything that can happen there so military leaders can understand what they’re facing and what’s needed to deny the adversary that capability. “If we can’t visualize [cyberspace] and transfer that thought to someone else, we won’t have a common way of stopping [adversaries],” the general said. “For the cyber courses we have to have it, so we’re building a common operational picture.”

-- Giving NSA and Cyber Command authority to share back with industry malware signatures and information about cyber attacks or cyber exploits.

A final critical issue, the general said, is for the nation to determine a way for the government and other nations to work together in cyberspace, “so everybody understands what the norms and the red lines are and how we'll track them.”

Alexander added, “Why do we need cyber legislation? NSA has great insights, as does Cyber Command, about threats against our nation. Wall Street, the power companies and the rest of government don't have a way to protect themselves [if we don’t work] together with them.”

Today, NSA and Cyber Command probably wouldn’t see an incoming attack or exploit against Wall Street, he said.

Despite everything that’s been said about the domestic collection capabilities of NSA, “the fact is we don't have the ability to see [such commercial activity], and Internet service providers and others are forbidden to share that information with the government – the Department of Homeland Security, the FBI, NSA and Cyber Command -- because of restrictions put forth in the Electronic Communications Privacy Act and the Stored Communications Act.”

The issue, he said, is that “we have capabilities to help defend the nation, but we don't have a way to share them back and forth. And if we did share something, we'd have to figure out how to work liability with those companies so they're protected from the facts we've given them.”

Such liability protection would shelter companies from customer civil suits based on company cybersecurity activities performed as partners with government agencies, he explained.

“This is a team sport -- [it’s] not just NSA and Cyber Command. It’s DHS, FBI and many others,” Alexander said. “The government has to work with industry, we have to have the … policies and we’re working our way through [them], but the key thing we need is legislation.”

NSA and Cyber Command, FBI and other agencies may know something about an adversary’s ability to exploit or attack a network, he explained. “If it’s classified, how do we share that?” he asked. “And if we share that, how do they give that information back to us?”

Much needs to be accomplished between government and industry and within the U.S. government to get the authorities issue right, the general said. “We have a lot of capabilities in our government that we ought to share, analogous to the way we share capabilities to defend our nation in physical space,” he added.

“If a bank is attacked by another nation state [in cyberspace], our country shouldn’t say to that bank, ‘Good luck with that.’ Because if that bank were attacked in physical space with missiles, we wouldn’t say, ‘You have to have your own missile defense system.’ In this space we have to figure out how that government-industry partnership will work.”

Alexander said the nation has to handle issues that have arisen because of the media leaks before it tackles cyber legislation.

“I think we are going to make headway over the next few weeks on media leaks,” he said. “I’m an optimist -- I think if we make the right steps on media-leaks legislation, then cyber legislation will be a lot easier.”