By Eric Beidel 
With a looming presidential election likely to stymie any progress on key issues this year by Congress, the military’s cybersecurity chief nonetheless called on lawmakers to pass legislation that would spur government and industry to share information on network attacks.
Army
Gen. Keith Alexander, commander of U.S. Cyber Command and director of
the National Security Agency, sought to alleviate concerns about privacy
rights during a July 9 speech to a standing-room only crowd at the
American Enterprise Institute in Washington, D.C.
“We can do protection of civil liberties and privacy and cybersecurity as a nation,” Alexander said.
Lawmakers
currently have before them four major pieces of legislation, all of
which focus on information sharing. Alexander hopes that Congress can
sort through the mess to determine how government agencies and industry
can share information and do so “in such a way that the American people
know that we’re protecting civil liberties and privacy.”
The idea that the NSA’s new Utah Data Center will be leafing through trillions of personal emails is “bologna,” he said.
Security
companies such as McAfee and Symantec have a number of ways to evaluate
malware that could infect systems, but “they’re not reading your email,
per se, to see that,” Alexander said.
The
general expressed concern about attacks on critical infrastructure such
as the power grid and financial system. The government has to rely on
the private sector to tell them what’s hitting those systems, he said.
“If
the critical infrastructure community is being attacked by something,
we need them to tell us at network speed. It doesn’t require the
government to read their mail or your mail,” Alexander said. “It’s like a
missile coming into the United States . . . we’re actually trying to
figure out when the nation’s under attack and what we need to do about
it.”
Speaking
during a panel discussion after the general’s speech, Cato Institute
Director of Information Policy Studies Jim Harper suggested that the
leader of Cyber Command may be simplifying the concerns about privacy
rights. Most of the cybersecurity bills have language that would allow
them to take precedence over other laws, Harper said.
“It
disturbs me to think that health privacy law, financial privacy law,
the Electronic Communications Privacy Act, the E-Government Act,
contract law, torts, go on, go on, go on — none of those would apply
when information sharing for cybersecurity purposes is involved,” he
said. “Surely we can write more precise legislation than that, and I
think Gen. Alexander could serve the discussion well by asking not to
have provisions like that in legislation.”
Other
experts on the panel suggested that apocalyptic rhetoric has made it
seem as if the United States were in imminent danger of a crippling
cyber-attack, but that the reality is much different.
“The
idea of a bolt-from-the-blue nation-state attack on the U.S.
infrastructure strikes me as being very unrealistic,” said Adam Segal,
senior fellow for counterterrorism and national security studies at the
Council on Foreign Relations.
The Stuxnet virus unleashed on Iran’s nuclear facilities has been labeled the most sophisticated attack in history, he noted.
“But
from my point of view it actually did not do that much harm,” Segal
said. “We’re not talking about, as far as I can tell, truly strategic
implications on the Iranian nuclear program. Perhaps it set it back 18
months. Perhaps it set it back two years.”
The
threat of intellectual property, however, is all too real, Alexander
said. Hackers from China and elsewhere are getting away with U.S.
proprietary information in what the general called the greatest transfer
of wealth in history.
“That’s our future disappearing in front of us,” he said.
And
the longer the country goes without solid authorities and laws on
information sharing, the greater the chance of an overreaction when
something bad does happen, Alexander said.
“This cybersecurity legislation coming up is going to be absolutely vital to the future of our country,” he said.