The release of several national surveillance leaks put the brakes on cybersecurity legislation, which was already under scrutiny by civil liberties groups. But NSA head Keith Alexander thinks Congress needs to get the bills back on track, letting federal agencies and companies share information about potential attacks. "How do you defend Wall Street from a major crisis?" he asked during a Tuesday interview hosted by Politico and defense contractor Raytheon. "We have to have the rules in place that you can defend Wall Street from being taken down, and inform the civilian leadership." Those rules, he said, would need to be put in place with "cyber legislation" before somebody decided to launch a "cyberpacket" assault.
Alexander, as head of US cyber command, discussed the offensive capabilities he's been building for some time. He also, however, said that Congress needed to untie his hands when it came to sharing information with companies that aren't part of critical infrastructure. Referencing Representative Mike Rogers' (R-MI) and Dutch Ruppersberger's (D-MD) controversial CISPA bill, he argued that the NSA, FBI, and Department of Homeland Security needed legislation to proactively prevent cyberattacks. "We have a great forensics team," he quipped. "It's all over, bad things have happened, we can come down and say 'It's really bad!'"
"How about a cyberpacket that's going to destroy Wall Street?"
One of the major concerns around CISPA, however, is whether it would give companies license to turn over more user information than necessary. While Rogers and Ruppersberger have said that the bill includes carefully crafted privacy protections, these worries stalled it the first time around, and they may do so again. It doesn't help that recent leaks suggest companies are already giving up more than users are comfortable with. Alexander and others have countered that this cybersecurity data won't even identify individuals. "It is threat information about somebody trying to attack, that they can give back to us and say 'This threat signature that came from that IP address is going over there,'" he said. "If you don't have that capability, you can't act."
Despite suggestions that Alexander wants to "snoop on Wall Street," these aren't particularly new or audacious proposals. There have been multiple information-sharing and cybersecurity bills in recent years, and President Obama has signed an executive order calling for Congress to act. The question, in all these cases, is the execution. Unfortunately, Alexander made his argument using a frustratingly common rhetorical tool: comparing damage in cyberspace to carnage in the real world.
"If you have a missile coming into the United States, everybody agrees ... we ought not to see if it's going to hit a military installation or a civilian installation and if it's a civilian say 'Ok, go ahead,'" he said, talking about who should have jurisdiction over cyberattacks. "We say no, no, that's the Defense Department's responsibility to stop that missile, please. How about a cyberpacket that's going to destroy Wall Street?" Alexander continued the comparison with a note about transparency. "For you to detect that missile, what are you doing? ... You know all this technical data. You know if that warhead is coming, what it probably has in its payload. We don't share that data publicly. And in cyber, it's going to be very similar."
"We're going to know things about the adversary's capabilities that need to be kept secret," he said. "But what the American People should know is that when it comes to working with industry, we have to be transparent."