Army Gen. Keith Alexander, commander of the U.S. Cyber Command, testifies before the House Armed Services Committee in 2010 in Washington. (File photo / Agence France-Presse)
Companies that own networks critical to public safety, national security and commerce must be subject to federal cybersecurity standards because many are not taking even basic steps to secure those systems on their own, Army Gen. Keith Alexander, head of the National Security Agency and the military's Cyber Command, told senators Tuesday.
Operators of the most critical systems also should be required to report cyber attacks to the government, Alexander said.
Both of those measures are included in a bipartisan cybersecurity bill introduced in February by Sen. Joe Lieberman, I-Conn. The bill has received sharp criticism from some Republican senators who challenge the need for more government regulation.
The challenge is ensuring that private systems and networks are well defended without creating added burdens on industry, Alexander said at the hearing.
"But I do think we have to set up some standards," Alexander said. He agreed with Sen. Susan Collins, R-Maine, a co-sponsor of the Lieberman bill, that critical infrastructure operators are not taking even the most basic measures, such as installing software patches and updates, to secure their systems.
Lieberman's bill, the 2012 Cybersecurity Act, S 2105, would authorize the Department of Homeland Security to create and regulate security standards for certain privately owned systems that, if attacked, would likely cause death, severe economic damage or harm to national security. Critical infrastructure that is not adequately regulated by another federal agency or properly secured voluntarily by a company would be subject to DHS regulation and oversight.
Sen. John McCain, R-Ariz., and seven Republican co-sponsors introduced their own bill March 1 that promotes voluntary information sharing of cyber threats between government and industry through existing partnerships. The Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act (SECURE IT), S 2151, would not give DHS new regulatory authority.
Alexander said DHS should be responsible for working with the private sector and federal agencies to develop standards and protocols for building safe networks. Agencies such as the NSA and FBI must partner with DHS and the private sector to defend against and stop cyber attacks while they're in progress, Alexander said.
That will require the government and private sector to voluntarily share information about cyber threats, which lawmakers agree on.
Currently, the government is in a "forensic mode," where it finds out about attacks after they occur, Alexander said. Government should be in the "prevention mode." Industry should have the availability to detect cyber threats and share them with the government in real time.
"If we can't see the attack, we can't stop it," he said.
Alexander said he opposes having NSA or the military monitor private networks for cyber attacks.
"If we go too far, it sends the wrong message," he said.
If there is an attack domestically or overseas that has significant consequences, the Defense Department would become the lead agency in defending the nation.
DoD and the administration are working to develop rules that define how the government should respond to cyber attacks and operate in cyberspace.