WASHINGTON — Establishing U.S. Cyber Command closed the gap that prevented the Defense Department from defending its crucial information networks, the organization’s commander told the House Armed Services Committee yesterday.
Cybercom, based at Fort Meade, Md., merges the offensive and defensive sides of DOD’s cyber world into one organization for the benefit of both sides, said Army Gen. Keith B. Alexander, who also is director of the National Security Agency.
The command stood up in May. Before that, Joint Task Force Global Network Operations was responsible for defense.
“That task force got one level of intelligence and could see one part of the network,” Alexander told the committee. “Operating on the other side was the Joint Functional Component Command Net Warfare trained at a different level with different intel insights at a different classification level.”
Two organizations had responsibility for the same network, the general explained. “And if you were operating at the National Training Center, you wouldn’t have the defensive team out there defending, and then take them off the field and run out with an offensive team,” he said. “It’s the same team.”
The offense and defense cannot be different, because these operations will occur in real time, the general said.
“It’s also an experience that we’ve seen in some of our red team and blue teams of what’s happening in our networks,” he said. “And I think that’s a huge and a positive step and goes significantly toward providing better support to the [combatant commands].”
A subunified command under U.S. Strategic Command, Cybercom has about 1,000 servicemembers and civilian employees. The command has a budget of about $120 million this year, and is programmed for about $150 million in fiscal 2011.
“We need the continued support of Congress and the resources that the department is putting forward for the component commands that we have here,” Alexander said. “It is going to have to grow. Each of them are looking at this and addressing that, and we will need your continued support to make that happen.”
But the command also needs authorities and guidance from Congress and the White House to ensure a good defense. Alexander said the thinking is that any cyber defense will require a team effort incorporating the Homeland Security Department, the FBI, the Defense Department and other concerned public and private agencies.
“Right now, the White House is leading a discussion on what are the authorities needed and how do we do this and … how will that team operate to defend our country?” he said.
“What they will look at across that is what are the authorities, what do we have legally, and then given that, what do we have to come back to Congress and reshape or mold for authorities to operate in cyberspace?”
Alexander went on to describe different forms of the cyber threat.
“Since the inception of the Internet, as it were, probably the key thing that we’ve seen is hacker activity and exploitation,” he said. “That’s where someone comes in and takes information from your computer, steals your credit card number, takes money out of your account.”
That threat endures, and it possibly is the most significant form of the threat, the general said. It is not just stealing American intellectual property, he noted, but also involves theft of U.S. secrets and compromising other parts of U.S. networks.
Fast-forward to 2007, when Estonia became the first nation attacked in cyberspace.
“We see a shift from exploitation to actually using the Internet as a weapons platform to get another country to bend to the will of another country,” Alexander said. “While it’s hard to attribute that to a nation state, you can see it did happen when two nations were quarreling over political issues.”
Disruptive cyber attacks on Georgia followed in 2008. “A disruptive attack prevents you from doing your business for the time being,” the general explained, but it’s normally something that you can recover from and then go on and do your business.
“What concerns me the most,” he continued, “is destructive attacks that are coming, and we’re concerned that those are the next things that we will see.”
Destructive attacks destroy equipment, Alexander said, and the victim cannot take the same equipment and just drive forward.
“It’s not something that you recover from by just stopping the traffic,” he said. “It is something that breaks a computer or another automated device and, once broken, has to be replaced. That could cause tremendous damage.”
DOD is concerned if that happens in a war zone to defense networks, Alexander said.
“If that were to happen in a war zone, that means our command and control system and other things suffer,” he said. “We’ve got to be prepared for that both from a defensive perspective, and then to ensure that the enemy can’t do that to us. Again – a full operational capability.”
DOD classified networks have been breached. A foreign intelligence agency used a flash drive to put a virus into U.S. Central Command networks in 2008. The department launched Operation Buckshot Yankee to combat the worm, and Cybercom has drawn lessons from the experience.
“We actually had three parts that came out of that Operation Buckshot Yankee – culture, conduct and capability,” Alexander told the representatives. “On the culture side, it was getting commanders to understand this is commander’s business. This isn’t something that you say, ‘I’m going to have one of my staff run it.’ This is commander’s business.
Commanders are responsible for the operation of their command. And this operational network, it’s important to them.”
U.S. Department of Defense
Office of the Assistant Secretary of Defense (Public Affairs)