By Cheryl Pellerin
American Forces Press Service
WASHINGTON, Mar. 7, 2014 – Leaks to the media of classified
information and the need for cyber legislation were key elements of a speech
this week by Army Gen. Keith B. Alexander, commander of U.S. Cyber Command and
director of the National Security Agency.
“What's going on in media leaks directly affects our ability
to get cyber legislation,” Alexander told an audience at Georgetown University,
“and we have to address both as a nation and amongst nations. We've got to get
this right.”
Recent media leaks include those by former NSA contractor
Edward Snowden, who last year fled the United States for temporary asylum in
Russia, after stealing 1.7 million intelligence files from NSA concerning the
agency’s surveillance activities and later disclosing thousands of documents to
reporters at London’s Guardian newspaper and the Washington Post.
The Justice Department has since charged Snowden, now a
fugitive, with espionage and theft of government documents. The massive leak
launched a continuing public debate, a presidential review of NSA
intelligence-collection practices, and a range of intelligence reforms
announced Jan. 17 by President Barack Obama.
On media leaks, Alexander offered his own perspective on a
Feb. 19 ruling by a British high court against David Miranda, the partner of
Guardian journalist Glenn Greenwald who had published articles and was planning
to produce more stories based on Snowden’s stolen NSA data.
Miranda was detained for nine hours Aug. 19 after two
British counterterrorism-unit police officers searched him at Heathrow Airport
and found he was carrying encrypted material derived from NSA data stolen by
Snowden. He was held under the authority
of paragraph 2(1) of Schedule 7 of the United Kingdom Terrorism Act 2000, and
filed an application for judicial review of the detention, which he said took
place without legal authority.
On Feb. 19, a court dismissed Miranda’s application.
“We’re now in an interesting situation as a nation,”
Alexander said of the wide-ranging debate over the Snowden leaks, adding that
the U.K. justices in the Miranda case determined that “journalists have no
standing when it comes to national security issues.”
In the Miranda case, the British court found that
journalists have a “professional responsibility to take care so far as they are
able to see that the public interest, including the security of the state and
the lives of other people, is not endangered by what they publish.”
But the court called such a safeguard inadequate for lives
and security because of what was described as the “jigsaw” nature of
intelligence information -- a range of data and facts pieced together over time
by different agencies -- and because journalists have their own take on what
serves the public interest, and added that “constitutional responsibility for
the protection of national security lies with elected government.”
“I just put that on the table,” Alexander said, “because
that’s a key issue that we as a nation are going to face.”
The general said the leaks have caused “grave, significant
and irreversible damage to our nation and to our allies. It will take us years
to recover from it. In some areas like terrorism, I feel like someone else is
going to pay the price for what’s [been] done.”
The latest large distributed-denial-of-service attacks, one
in May and one in June 2013, Alexander said, caused more than $180 million in
damage to systems in South Korea.
“There is a great need for our nation to get cyber
legislation and work with other nations [to] set up norms” to help defend
against the rising number of adversaries.
Media leaks have made it necessary to address such issues as
a nation, the general said, including public discussion in the United States
about what the government should and should not do as part of its cyber
security responsibilities.
Alexander said that in preparation for an evolving cyber
future, Cyber Command is working on five priorities:
-- Establishing a defensible architecture -- a thin virtual
cloud architecture that turns the advantage to those who defend the networks
and that offers the ability to fix vulnerabilities at network speed.
-- Maintaining a trained and ready force by educating
everyone, including those at Cyber Command, to the high standard used for NSA’s
elite forces.
-- Establishing cyberspace operational concepts and command
and control for the many teams operating there. Alexander said Cyber Command is
working on virtual and physical command and control, and streamlining command
and control from the president and defense secretary to Cyber Command and
others.
-- Developing shared situational awareness in cyberspace as
a way to visualize it and everything that can happen there so military leaders
can understand what they’re facing and what’s needed to deny the adversary that
capability. “If we can’t visualize [cyberspace] and transfer that thought to
someone else, we won’t have a common way of stopping [adversaries],” the
general said. “For the cyber courses we have to have it, so we’re building a
common operational picture.”
-- Giving NSA and Cyber Command authority to share back with
industry malware signatures and information about cyber attacks or cyber
exploits.
A final critical issue, the general said, is for the nation
to determine a way for the government and other nations to work together in
cyberspace, “so everybody understands what the norms and the red lines are and
how we'll track them.”
Alexander added, “Why do we need cyber legislation? NSA has
great insights, as does Cyber Command, about threats against our nation. Wall
Street, the power companies and the rest of government don't have a way to
protect themselves [if we don’t work] together with them.”
Today, NSA and Cyber Command probably wouldn’t see an
incoming attack or exploit against Wall Street, he said.
Despite everything that’s been said about the domestic
collection capabilities of NSA, “the fact is we don't have the ability to see
[such commercial activity], and Internet service providers and others are
forbidden to share that information with the government – the Department of
Homeland Security, the FBI, NSA and Cyber Command -- because of restrictions
put forth in the Electronic Communications Privacy Act and the Stored
Communications Act.”
The issue, he said, is that “we have capabilities to help
defend the nation, but we don't have a way to share them back and forth. And if
we did share something, we'd have to figure out how to work liability with
those companies so they're protected from the facts we've given them.”
Such liability protection would shelter companies from
customer civil suits based on company cybersecurity activities performed as
partners with government agencies, he explained.
“This is a team sport -- [it’s] not just NSA and Cyber
Command. It’s DHS, FBI and many others,” Alexander said. “The government has to
work with industry, we have to have the … policies and we’re working our way
through [them], but the key thing we need is legislation.”
NSA and Cyber Command, FBI and other agencies may know
something about an adversary’s ability to exploit or attack a network, he
explained. “If it’s classified, how do we share that?” he asked. “And if we
share that, how do they give that information back to us?”
Much needs to be accomplished between government and
industry and within the U.S. government to get the authorities issue right, the
general said. “We have a lot of capabilities in our government that we ought to
share, analogous to the way we share capabilities to defend our nation in
physical space,” he added.
“If a bank is attacked by another nation state [in
cyberspace], our country shouldn’t say to that bank, ‘Good luck with that.’
Because if that bank were attacked in physical space with missiles, we wouldn’t
say, ‘You have to have your own missile defense system.’ In this space we have
to figure out how that government-industry partnership will work.”
Alexander said the nation has to handle issues that have
arisen because of the media leaks before it tackles cyber legislation.
“I think we are going to make headway over the next few
weeks on media leaks,” he said. “I’m an optimist -- I think if we make the
right steps on media-leaks legislation, then cyber legislation will be a lot
easier.”