The U.S. military lacks full authority to defend the nation from a major cyber-attack aimed at crippling vital computer networks in the civilian sector, the general in charge of the new U.S. Cyber Command told lawmakers Thursday.
“Right now, the White House is leading a discussion on what are the authorities needed and how do we do this,” Gen. Keith Alexander, who is also National Security Agency director, told the House Armed Services Committee. “What are the authorities … we have legally, and then given that, what do we have to come back to Congress and reshape or mold.”
Experts say that questions of legal authority in the unique environment of cyberspace — where the networks critical to government and even military operations are owned and operated by the private sector — are a problem for U.S. cybersecurity efforts across the government.
He added, that if the command was tasked to defend civilian networks, “then we’d have to put in place the capabilities to do that. But, today, we could not.”
The Department of Homeland Security (DHS) has the lead in defending civilian government computer networks. The DHS is also in charge of coordinating with the private sector to defend commercial networks, that support vital industries like banking, power and transport.
In the event of a major cyber-attack against the electrical power grid, for instance, Gen. Alexander said that “right now, the defense of that would rely heavily on commercial industry to protect it.”
Although the military has authorities to assist civilian agencies in crisis situations, continuing ambiguity and uncertainty about exactly how the different elements of government would work together in the event of a large-scale, sophisticated cyber-attack — where network outages could cascade into a major disaster within minutes — troubles many observers.
“We must strategically plan across government to make sure all agencies and departments know their roles and what they are authorized to do in a large scale event,” he said.
Next week, DHS will stage just such a planning exercise, simulating a major cyber-incident in the United States. U.S. Cyber Command, which was created last year and plans to become fully operational next month, would take part, Gen. Alexander said.
But its participation also highlights some of the issues dogging U.S. policy, for example about when and how a cyber-incident is determined to be an act of war, triggering additional authorities for the military.