Technology has opened tremendous opportunities for the world, but also poses tremendous challenges for those who work to ensure access to cyberspace, the director of the National Security Agency said Monday.
Army Gen. Keith B. Alexander, who also commands U.S. Cyber Command, told participants in an American Enterprise Institute seminar titled “Cybersecurity and American Power” that the capability exists today for destructive cyber attacks against critical infrastructures.
The cyber world is an increasingly important domain, the general said. In 2000, 360 million people were on the Internet. Today, more than 2.3 billion people are connected. Last year, 107 trillion emails were sent, he added, and a sign of the times is that more than 500,000 apps exist for the iPhone and 280,000 for Android smartphones.
But this tremendous opportunity for communication also presents a potential avenue of attack, Alexander said. A 2007 denial-of-service attack on Estonia virtually shut the nation down, he said, but that was just a transitory event in the evolution of cyber attacks.
“What I think we really need to be concerned about is when these transition from disruptive to destructive attacks -- and I think those are coming,” he said.
A destructive attack does not simply overload computers or networks -- it destroys data or software, and systems must be replaced to return to the status quo. “We’ve got to consider that those are going to happen,” Alexander said. “Those are coming up, and we have to be ready for that.”
The general stressed that deterring cyber attacks is more difficult than nuclear deterrence, noting that nation-states, cyber criminals, hackers, activists and terrorists all pose threats.
“So when you think about deterrence theory, you’re not talking about just nation-on-nation deterrence theory,” he said. “You have other non-nation-state actors that you now have to consider.”
An attack may originate in a country, Alexander said, but no one can really tell if it’s the nation, a criminal gang within the country or a lone hacker launching the attack.
Regardless of who initiates an attack, he added, the result could be the same.
“You lose the financial sector or the power grid or your systems capabilities for a period of time,” the general said. “It doesn’t matter who did it; you still lose that. So you’ve got to come up with a defensive strategy that solves that, from my perspective.”
The U.S. defensive strategy has to be a team approach, he said. “We want to get as many people as we can working together to solve this problem,” Alexander said.
The White House has led the governmental effort, spanning the Department of Homeland Security to the Defense Department to the FBI and beyond. And any protection -- to be effective -- must include the private sector, the general told the audience. This has caused hackles to rise, he acknowledged, with critics saying such efforts are an invasion of privacy. But, Alexander said, it can be done while protecting civil liberties.
“If the critical infrastructure community is being attacked by something, we need them to tell us at network speed,” the general said. “It doesn’t require the government to read their mail or your mail to do that. It requires them -- the Internet service provider or that company -- to tell us that that type of event is going on at this time. And it has to be at network speed if you’re going to stop it.”
Cyber runs at the speed of light, Alexander noted, and human reaction times are simply not fast enough to react.
“Maybe we could do this in real time and come up with a construct [in which] you and the American people know that we’re not looking at civil liberties and privacy, [but] we’re actually trying to figure out when the nation is under attack and what we need to do about it,” he said.