Gen. Keith Alexander, head of the Defense Department's Cyber Command, told Congress this week that the U.S. military is unprepared to adequately defend against a serious cyber-based attack.
Not only does the military not have the proper capabilities in place to mount an effective cyber defense, they also lack the legal authority to act in regards to defending private networks.
"We are finding that we do not have the capacity to do everything we need to accomplish. To put it bluntly, we are very thin, and a crisis would quickly stress our cyber forces. We cannot afford to allow cyberspace to be a sanctuary where real and potential adversaries can marshal forces and capabilities to use against us and our allies. This is not a hypothetical danger," Alexander said.
In his opinion, the current state of cyber defense preparedness would only rate a "C" grade, but Alexander notes that there has been a great deal of improvement over the last few years.
Even so, U.S. networks are under constant attack, and experts warn that adversaries are increasingly able to penetrate both government and private systems to harvest sensitive data.
"Whatever we are doing now is not working. We need to rethink our approach. We are unprepared to defend ourselves," said James Lewis of the Center for Strategic and International Studies.
The vast majority of the systems that control the nation's critical infrastructure are owned and maintained by the private sector, and defense officials indicate they are working with the White House to define the authority needed to better defend those systems in the event of an attack.
Alexander went on to advise that all major conflicts in the future will have a significant cyber element, both offensive and defensive, and that Congress needs to work with the White House to define the parameters needed to guide the military in its response to cyber threats.