Security Experts:

General Alexander: Organizations Should be Required to Secure Networks

In a letter to Senator John McCain, originally obtained by the Washington Post for a report published last Friday, General Keith Alexander, the director of the NSA and current commander of the U.S. Cyber Command, says that the U.S. should implement policy that would require hardened network defenses.

In Senator McCain’s letter, he asked General Alexander to explain what additional authorities he believed were necessary in order to defend the U.S. from a cyber attack initiated by a peer-competitor like China or Russia.

In his response, the head of the U.S. Cyber Command told the one-time presidential hopeful that legislation is needed for “information sharing and core critical infrastructure hardening,” adding that if the Department of Defense is to defend the nation against cyber attack, it must be able to see those attacks in real time.

Cyber Command"This requires legislation that, at a minimum, removes existing barriers and disincentives that inhibit the owners of the critical infrastructure from sharing cyber threat indicators with the Government,” General Alexander wrote.

“Additionally, given DoD reliance on certain core critical infrastructure to execute its mission, as well as the importance of the Nation’s critical infrastructure to our national and economic security overall, legislation is also needed to ensure that infrastructure is efficiently hardened and resilient. Recent events have shown that a purely voluntary and market driven system is not sufficient.”

He believes that some minimum-security requirements are necessary in order to ensure critical infrastructure is taking “appropriate measures to harden its networks...” At the same time, he added, it is important that legislative requirements not be too burdensome.

When asked which agency within the federal government has the most cybersecurity expertise and is most capable of protecting critical infrastructure, General Alexander said that none of them are.

“No single public or private entity has all of the required authorities, resources, and capabilities; cybersecurity requires a team... protecting our national interest in the cyber realm requires a team effort consisting of DHS, FBI, NSA/CSS and USCYBERCOM.”

The entire letter is worth a read. It was recently published in full by PublicIntelligence.net.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.