FORT MEADE, Maryland (Reuters) - Expanded U.S. government cyber defenses would be the best way to guard vital services, possibly including financial networks, from the “real probability” of a destructive online attack, the head of the military’s new Cyber Command said.
Stretching a U.S. security umbrella over parts of the private sector is tricky for policymakers. Among the issues: how much to protect, who should be in charge, how to respond to any attack and whether Congress would have to vote new powers.
“The need is great, and there is no time to lose, as attacks and their potential effects would not discriminate between military and civilian users,” Army General Keith Alexander said in a written statement for Congress on Thursday.
He said a destructive strike could come from a foreign foe, a militant group or a lone rogue.
Cyber Command expects a budget of roughly $150 million in the fiscal year starting October 1, up from $120 million in fiscal 2010.
In separate remarks to a small group of reporters near his Fort Meade, Maryland, headquarters on Wednesday evening, Alexander said he envisioned the creation of a “secure, protected zone” for certain critical infrastructure. It could include banks, power grids and other vital services that would be walled off and guarded by the thousands of cyber warriors under his command since Cyber Command began taking shape in May.
“That’s probably what you’re going to get to, and that makes a lot of sense,” he said. “That was the best we could think of.”
Alexander wears two major hats. Besides heading Cyber Command, he leads the Pentagon’s super-secret National Security Agency. NSA helps protect government computer networks from penetration and runs a worldwide electronic eavesdropping system with satellites and ground stations.
Alexander spoke of partnering with the Department of Homeland Security, the FBI, the Energy Department and others as part of any government expansion into protecting the defense industrial base and critical services, while leaving the commercial Internet alone.
“I think doing it, technically, is fairly straight forward,” he said Wednesday. “The hard part is now ... ensuring everybody’s satisfied with what we’re going to do.”
The Department of Homeland Security is now the lead U.S. agency for securing federal civilian systems, sometimes described as the Internet’s dot-gov domain.
Deputy Defense Secretary William Lynn said in an opinion piece in the latest issue of the journal Foreign Affairs that the Pentagon “must leverage its 10 years of concerted investment in cyber defense to support broader efforts to protect critical infrastructure.”
Alexander said he expected President Barack Obama’s administration to seek any necessary new “authorities” for such an enterprise from the Congress elected in the November 2 U.S. midterm elections.
There is “a real probability” that the United States eventually “will be hit with a destructive attack, and we have to be ready for it,” he said Wednesday.
Earlier in the day, the Christian Science Monitor cited cyber security experts as saying malicious code dubbed Stuxnet amounted to the world’s first known cyber “super weapon” designed to destroy a real-world target — a factory, a refinery, or perhaps a nuclear power plant.
Alexander said his forces had looked at Stuxnet. “They see that it is essentially as laid out in the article, very sophisticated,” he told reporters in comments that were barred from publication until Thursday.
In his testimony to the House of Representatives’ Armed Services Committee, he said: “There are new tools appearing that can damage or destroy systems.”
Alexander told Reuters after the hearing that it was up to the White House to decide whether financial services should be part of the proposed new domain guarded by government resources.
Asked whether he thought including financial services was a good idea, he joked: “Well, at least for the bank that I use, I think it would be.”
Representative Ike Skelton, the Missouri Democrat who chairs the House Armed Services Committee, told Reuters after the hearing that he was not ready to pass judgment on possible new powers for Cyber Command, part of the Strategic Command that controls forces with a global reach.
Alexander spoke on Wednesday evening at the National Cryptologic Museum, next to the headquarters of both the Cyber Command and the NSA at Fort Meade, Maryland.
Reporting by Jim Wolf; Editing by Lisa Von Ahn