X

NSA chief wants to protect 'critical' private networks

Gen. Keith Alexander, who also runs the U.S. Cyber Command, says it's time to "refine the roles of government and the private sector in securing this nation's critical networks."

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
See full bio
Declan McCullagh
2 min read
NSA chief Keith Alexander, who also runs the U.S. Cyber Command, says it's time to "refine the roles of government and the private sector in securing this nation's critical networks."
NSA chief Keith Alexander, who also runs the U.S. Cyber Command, says it's time to "refine the roles of government and the private sector in securing this nation's critical networks." Declan McCullagh/CNET

SAN FRANCISCO--The head of the National Security Agency said today that the U.S. military should have the authority to defend "critical networks" from malware and other disruptions.

Gen. Keith Alexander, who is also the head of the Pentagon's U.S. Cyber Command, said at the RSA Conference here that the NSA's "active defenses" designed to defend military networks should be extended to civilian government agencies, and then key private-sector networks as well.

"I believe we have the talent to build a cyber-secure capability that protects our civil liberties and our privacy," Alexander said.

Alexander's comments come only two days after William Lynn, the deputy secretary of defense, offered the same suggestion. In an essay last year, Lynn likened active defenses to a cross between a "sentry" and a "sharpshooter" that can also "hunt within" a network for malicious code or an intruder who managed to penetrate the network's perimeter.

But the power to monitor civilian networks for bad behavior includes the ability to monitor in general, and it was the NSA that ran the controversial warrantless wiretapping program under the Bush administration. Concerns about privacy are likely to turn on the details, including the extent of the military's direct involvement, and whether Web sites like Google.com and Hotmail.com could be considered "critical" or the term would only be applied to facilities like the Hoover Dam.

Alexander offered little in the way of specifics today. "We need to continue to refine the roles of government and the private sector in securing this nation's critical networks," he said. "How do we extend this secure zone, if you will? How do we help protect the critical infrastructure, key resources?"

At the moment, the Department of Homeland Security has primary responsibility for protecting critical infrastructure. A presidential directive (HSPD 7) says the department will "serve as a focal point for the security of cyberspace." During an appearance at RSA two years ago, Alexander stressed that "we do not want to run cybersecurity for the U.S. government."

That was then. After Cyber Command was created--following reports of a power struggle between DHS and the NSA--it moved quickly to consolidate its authority. An October 2010 memorandum of agreement (PDF) between the two agencies says they agree to "provide mutually beneficial logistical and operational support" to one another.

Senators Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine) recently pledged to reintroduce a controversial bill handing President Obama power over privately owned computer systems during a "national cyberemergency," with limited judicial review. It's been called an Internet "kill switch" bill, especially after Egypt did just that.

Alexander didn't address that point. "The intent would be: let's build how we can do this with DOD, show we can extend that to the government, and then to key critical infrastructure," he said.