National Security Agency: 'We Need to See What's Going on'

The military's top cyber official this week made an urgent appeal for Congress to pass computer-security legislation, warning that the current legal framework discourages private-sector firms from sharing vital information about looming threats to the relevant government agencies and other businesses.

In remarks at a security conference hosted by Georgia Tech, Gen. Keith Alexander, the director of the National Security Agency and commander of U.S. Cyber Command, urged lawmakers to craft a statute that provides for an information-sharing system that would incorporate personal-privacy and civil-liberties protections while shielding businesses from liability for sharing sensitive threat data.

Alexander describes the current system for cybersecurity as fragmented, where different infrastructure operators monitor their narrow portion of the Internet ecosystem, while none has a holistic view. Through an act of Congress, Alexander envisions a system of automated information exchanges where threat information packaged in a "metadata-like format" is sent between businesses and government authorities at "network speed."

"I know the public thinks that we see everything. The reality is that we don't. So if Wall Street is going to be attacked, or is attacked, the chances of me seeing it ... are limited."

Gen. Keith Alexander

Director of the National Security Agency

and commander of U.S. Cyber Command

Information sharing is hardly the final solution to a complex and ever-changing set of threats, he admits, though he suggests that there may be no more critical starting point in the cybersecurity policy discussion.

"We need a way of seeing what's going on. So situational awareness in cyberspace is one of the most difficult issues," Alexander says.

"From my perspective, there's a lot of things that we need to do as U.S. Cyber Command, but first and perhaps the most important issue that I'll put on the table: We need legislation," he adds. "Why do we need legislation? Government does not see attacks on Wall Street. I know the public thinks that we see everything. The reality is that we don't. So if Wall Street is going to be attacked, or is attacked, the chances of me seeing it ... are limited."

Alexander's remarks came as the latest in a series of calls from senior administration and military officials for Congress to take up cybersecurity legislation. Already this year several committees have convened hearings, and various bills and draft proposals have been circulating on Capitol Hill.

Cybersecurity Policy Privacy Concerns

A central tenet of many of those proposals has been the information-sharing element that Alexander says is so crucial. Yet at the same time, privacy and civil-liberties advocates have raised concerns that bills like the bipartisan-backed Cyber Information Sharing and Protection Act (CISPA) could funnel troves of personal information about Internet users to the government with insufficient accountability and oversight.

For Alexander, the privacy concerns are real and necessary, but hardly an insurmountable obstacle.

"Right now, the ability to share real-time information and threat information is complicated and there are legal barriers to it. We have to overcome that. Now, I'm not talking about sharing personally identifiable information. We don't need that. We just need to share threat information on malicious software and the problems we see on equipment," Alexander says.

Cybersecurity Policy Legal Liability Concerns

Another critical aspect of enacting an effective information-sharing regime will involve shield provisions to protect companies that participate in good faith from legal liability, according to Alexander. Companies must have every incentive to share threat information with the relevant authorities for such a program to operate effectively, he argues, and that would necessarily include meaningful liability safeguards.

"We need to protect them from lawsuits. Where's the liability protection that comes in there? We've got to get that right," Alexander says.

While the discussion over information sharing raises sharp concerns from civil liberties groups, the notion that a more fluid exchange of threat data could improve the nation's security posture is itself less controversial.

That helps explain why a bill like CISPA takes a fairly narrow focus on that one aspect of the debate, while shying away from the more comprehensive approach that some recent proposals in the Senate have contemplated.

A key fault line in those discussions has been the extent to which the federal government should involve itself with oversight of the security systems in place to protect critical private-sector systems.

Alexander acknowledges that federal oversight is a thorny issue, and stressed that infrastructure operators in different sectors can't all be held to a uniform standard that would pave over significant distinctions in their systems and industries. In that light, he praised the executive order that President Obama issued earlier this year for its effort at beginning a dialogue between the government and private-sector firms to help encourage a greater understanding of the nuances of different industries and the security challenges they face.

"Where this gets really hard is when we say now we want to set standards and reporting vehicles. The first thing that everybody gets really nervous about is [that] they're going to set up a framework that's going to be a bureaucratic nightmare. And the answer is, this is hard," Alexander says. "How do you establish standards across the country where all the different sectors are at different levels of compliance and everyone looks at the network differently? And the answer is, that's almost impossible to do ..."

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for

Follow everything from on Twitter @CIOonline, on Facebook, and on Google +.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Security Agencysecuritygovernment

More about FacebookGoogleNational Security AgencyWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts