The Defense Department for the first time is using cyber teams like they use aircraft to attack and to defend.
Gen. Keith Alexander, commander of U.S. Cyber Command and director of the National Security Agency, said in a letter to Sen. John McCain (R-Ariz.) that DoD is employing cyber teams to execute offensive and defensive missions. Previously, the military focused on offensive capabilities or defensive capabilities, but not both for one team.
"The lessons learned prove the powerful operational capability inherent in this organizational model, which combines both attack and defend capabilities under a single commander," Alexander wrote in response to one of six questions posed by McCain in a March 29 letter.
He said DoD recently held the Cyber Flag exercise where about 300 servicemen and women worked in a virtual environment against a realistic adversary. The goal of the drill was for teams to take part in realistic training across a full spectrum of cyber operations. The Pentagon also wanted to integrate the services' cyber components and other government organizations while focusing on standard processes for future cyber missions.
McCain's letter came after Alexander testified in late March before the Senate Armed Services Committee about cyber threats and what DoD is doing about it.
McCain said he was unhappy Alexander seemed to have changed his mind about whether DoD has enough legal authorities to protect the nation from a cyber attack.
"I was very disappointed that your testimony to this committee appears to have been more heavily influenced by White House policy, rather than your best military and technical advice and expertise," McCain wrote. "I am deeply concerned by your endorsement of the administration's proposal to appoint the Department of Homeland Security as the lead agency responsible for ensuring domestic security against cyber attacks. Our vulnerability to cyber attacks will not be remediated by creating additional layers of bureaucracy in an agency already failing in several of its core missions, including aviation security and border control. I do not understand why you believe DHS can more effectively protect our nation's critical infrastructure better than U.S. Cyber Command or the NSA."
Dispute over DHS role
McCain introduced a cybersecurity bill that is competing with the administration's proposal, which Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Jay Rockefeller (D-W.Va.) used as the basis for their Cybersecurity Act of 2012.
Alexander said he was not inconsistent about what is needed from Congress to improve cyber and what authorities DoD now has.
He said legislation is needed in two areas: information sharing and core critical infrastructure hardening.
"If DoD is to defend the nation against cyber attacks originating from outside the U.S., it must be able to see those attacks in real time," Alexander wrote. "This requires legislation that, at a minimum, removes existing barriers and disincentives that inhibit owners of the critical infrastructure from sharing cyber threat indicators with the government."
Alexander also said voluntary and market-driven cyber requirements are not enough to protect critical infrastructure. McCain's bill calls for a purely volunteer approach, while the administration and the Lieberman-Collins-Rockefeller bill want a government-led collaborative rule-making process.
"The proposed security requirements in the administration's proposal would not dictate specific measures that may become outdated, but rather would require critical infrastructure to achieve security results using methods of their choice," he said. "We expect this approach will actually result in greater innovation, as companies look to the commercial market to produce security products and services that satisfy these requirements."
McCain's support of Cyber Command or NSA — instead of DHS — leading the federal effort to protect the Internet also is a main point of contention between the two bills and the administration.
Alexander wrote it takes DHS, the FBI, DoD and the intelligence community to protect federal networks and the nation's critical infrastructure.
"DoD would share the responsibility to protect the Defense Industrial Base with DHS, support DHS efforts to protect other critical infrastructure and defend the nation in the event of a cyber attack on critical infrastructure," he said. "The FBI would be responsible for conducting investigations of intrusion activity in those critical infrastructure networks inside the U.S."
Alexander invited McCain to visit NSA and U.S. Cyber Command in the near future to see existing and future cyber capabilities.