The U.S. military is ill-prepared for waging cyber warfare and needs to bolster defenses against the growing threat of cyber attacks against both military systems and private infrastructure, the commander of U.S. Cyber Command told Congress on Thursday.
“Those attacks are coming and I think those are near term and we’re not ready for them,” said Army Gen. Keith Alexander, head of Cyber Command and also outgoing director of the National Security Agency.
Alexander, in prepared testimony to the Senate Armed Services Committee, sounded the alarm on the need for better cyber attack and defense capabilities. He said the command’s priorities include setting up a secure “defensible” telecommunications architecture, training cyber warfare personnel, increasing intelligence data on global cyber threats, and clarifying lines of authority for conducting cyber attacks and defending government and private networks.
Cyber Command, currently staffed by 1,100 people, is making progress in all areas, said Alexander, who retires next month. However, he warned that cyber threats are increasing, shifting from temporarily disruptive attacks, to extremely damaging cyber strikes that can destroy data and machines, and potentially threaten the U.S. economy and endanger American lives.
“Despite our progress at U.S. [Cyber Command], I worry that we might not be ready in time,” he said. “Threats to our nation in cyberspace are growing.”
The main concerns are cyber attacks from nation states such as China or Russia that could create massive power outages in the United States, or an attack on U.S. financial networks, such as stock exchanges and financial institutions, that could cripple the economy.
Asked about the threat posed by Chinese-origin cyber attacks, Alexander sidestepped directly mentioning Chinese cyber warfare capabilities, saying he would only discuss the issue in a closed session.
“We have a lot of infrastructure—electric, our government, our financial networks,” he said. “We have to have a defensible architecture for our country, and we’ve got to get on with that.”
Cyber Command also needs to develop methods to prevent adversaries from easily penetrating networks and stealing data, money, and other property, he said.
During a cyber attack, hackers could shut down the power in the Northeast or attack the New York Stock Exchange and damage its data, Alexander said, adding that the financial losses from such attacks could range in the trillions of dollars and potentially cost American lives.
Government computer networks and transportation infrastructure also could be targeted.
Those who engage in cyber attacks have an advantage over those trying to defend computer networks, and U.S. legacy information systems and some U.S. weapons systems are not “cyber robust” enough, he said.
U.S. military personnel also lack training and readiness needed to confront advanced cyber threats, Alexander added, and military commanders lack confidence about what levels of risk are acceptable in the cyber domain. They also lack a “reliable situational awareness”—military jargon for knowing what is in the battle space, globally or in U.S. military systems, he said.
Command authority for defending networks and conducting cyber attacks also are spread out across the military and U.S. government and cyberwarfare operating concepts are “undefined and not wholly realistic,” Alexander said.