Continued from page 1

This last point is key because of the complicated jigsaw of authorities and responsibilities than different U.S. agencies have in relation to military, government and private-sector computer networks.

“There are so many stakeholder organizations and individuals in the cyberdomain it is difficult to know exactly where to start the collaboration, information sharing, and integration” needed, said Larry McKee, a computer-security specialist and longtime adviser to U.S. Strategic Command and the U.S. Air Force.

“What’s the long-term vision here?” asked Mr. Sachs. “Is it a small elite organization just focused on the military networks, or will it have a broader, almost National Guard-like mission to protect the nation’s critical infrastructure?”

Defense officials have been keen to stress that the new command will be focused on defending military networks’ “.mil” domain and that its establishment does not represent any attempt by the Pentagon to carve out a larger role for itself in defending the nation’s civilian-owned and -operated computer systems.

“Responsibility for protecting federal civilian networks would remain with the Department of Homeland Security,” Mr. Lynn said last week. “Likewise, responsibility for protecting private-sector networks would remain with the private sector.”

However, some privacy and civil liberties advocates have nonetheless expressed concerns about the role of the military and in particular the secretive National Security Agency in the cyberarena.

The new cybercommand will be headed by the director of the NSA, and Mr. Gates said he would recommend that the current incumbent of that job, Lt. Gen. Keith B. Alexander, be nominated to the new role.

Gen. Alexander is already in charge of the Joint Functional Component Command Network Warfare, the part of Strategic Command responsible for offensive cyberoperations.

“Many of the resources to be managed by cybercommand are already under Gen. Alexander’s control,” said Alan Paller, director of research at the SANS Institute, an industry nonprofit that does research and education on computer security.

“The new piece is that military resources currently outside of Strategic Command can now be mobilized,” Mr. Paller said. “The action-oriented resource base [of the new command] is much larger.”

However, Mr. Paller said leveraging those resources also required better partnership between the military and the private sector. A key problem for civilians engaged in trying to defend U.S. networks against cyber attacks, he said, was that they do not have access to the military’s latest, best information about attackers and the methods they are using.

Mr. Paller pointed out that the vast majority of the thousands of cyber attacks against U.S. military computers are carried out across civilian networks like the Internet, mostly managed by seven or eight large private-sector companies.

Currently, he said, because the network managers of those firms don’t have security clearances, “the military can’t share intelligence about the latest threat signatures” with them, making it much harder for them to spot attacks in progress.

Gen. Alexander told a symposium of the Armed Forces Communications and Electronics Association last week that the military will have to give network operations people the security clearances they need, so they can understand the nature of the threats.

Granting such clearances to “a very small set of people” would “radically improve our capabilities to defend” against cyberattacks, Mr. Paller said.

Story Continues →