By Matthew Acocella
Best Defense deputy congressional bureau chief
National Security Agency Director Lieutenant General Keith Alexander finally got the chance Thursday to appear before the Senate Armed Services committee for his confirmation hearing to head the Department of Defense's newly formed Cyber Command operation. If confirmed, General Alexander would concurrently run both the NSA and the Cyber Command.
Members of the Senate Armed Services Committee clearly understand that the threat of cyber attacks is real and growing. (During his testimony, Alexander stated that hundreds of thousands of unauthorized probes are made each day into the Department of Defense's networks, and that he has seen a sharp spike in infiltrations and attacks since the beginning of this year.) Despite a six-month delay in holding a hearing, members of the committee expressed a sense of urgency that General Alexander get to work in standing up the command, which would be responsible for defending U.S. military networks against attacks and for launching retaliatory electronic counterattacks. Chairman Carl Levin attributed the significant delay in confirmation for Alexander to the still unresolved questions pertaining to the new command's mission, scope, and oversight.
One of the major themes of Thursday's hearing was questioning where the Cyber Command would fit within the traditional military chain of command and when and how Alexander and his team of computer whizzes would launch a counterattack. General Alexander admitted that we are in uncharted territory, but insisted that his command would defer to standing rules of engagement and that any order to retaliate would come from the Secretary of Defense and the President. In written responses to a Senate questionnaire obtained by the Associated Press ahead of his hearing, General Alexander asserted that commanders have clear rights to self-defense, and that while "this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles... would be lawful."
Senator Levin noted that lawmakers' ability to set cyber policy has not kept pace with the nature of the threat, and both Senators Levin and McCain enthusiastically invited Alexander to submit to Congress a "laundry list" of needed legislative and regulatory updates to clarify Cyber Command's authority, as well as its responsibility to support other government agencies that handle cyber defense domestically, including the Department of Homeland Security and the FBI.
Senator Joe Lieberman, who also chairs the Senate Committee on Homeland Security and Government Affairs, quizzed General Alexander on whether he thought the proposed structure of having Cyber Command defend the dot-mil network with Homeland Security responsible for the dot-gov and civilian networks was the right approach. Gen. Alexander answered "yes," and pledged that his agencies would provide technical support and help DHS build the capacity to protect against attacks. It's common knowledge that the Department of Homeland Security's abilities in this area are seriously lacking, and it remains to be seen how effective interagency cooperation will be between DHS, the notoriously secretive NSA, and the new military Cyber Command. Further, it's not unreasonable to question to what extent the NSA and Cyber Command would overlap or share resources, both being military intelligence agencies headed by the same person. General Alexander clearly stated that the National Security Agency and the Cyber Command would be entirely separate entities with distinct chains of command. Congress should codify this distinction.
One thing never questioned was General Alexander's competence. He has already run the NSA for the past five years and senators of both parties praised his leadership and expressed confidence in his ability to be the first U.S. Cyber commander. Based on the senator's remarks at the hearing, it seems that Alexander is likely to be confirmed. But as General Alexander well knows, the business of defending our networks, identifying our attackers, and formulating the appropriate response is extremely complex. Leaders at Cyber Command deserve a clear legal framework in order to do their job effectively. The consensus in the hearing Thursday morning was that the President and Congress need to identify current gaps in law and regulation pertaining to this new program, and create specific guidelines that provide clear parameters for the Cyber Command to abide by. Considering it took half a year to hold a hearing for General Alexander, we can only wonder when that will actually happen.
Thomas E. Ricks covered the U.S. military for the Washington Post from 2000 through 2008.