The U.S. military's Cyber Command commander, Army Gen. Keith Alexander, says it's vital that Congress enact a law giving the owners of the nation's critical infrastructure, especially Internet service providers, liability protection so they can share cyberthreat information with the government.
In his testimony before the Senate Armed Services Committee on March 12, Alexander also said it wasn't the role of the government to defend American banks against distributed-denial-of-service attacks that have targeted them for the past several months [see New Wave of DDoS Attacks Launched]
On the need for information sharing legislation, Alexander said ISPs are situated to identify cyberattacks before anyone else can, but are reluctant to do so because of a fear they could be targets of lawsuits. "They have the technical capability, but they don't have the authority to share information with us at network speed," said Alexander, who also serves as director of the National Security Agency, DoD's super-secret electronic spy agency. "They need liability protection when they share information back and forth."
President Obama issued an executive order in February that called on the government to share cyberthreat information with critical infrastructure owners, but only an act of Congress can give businesses liability protection to share cyberthreat information with the government and other businesses [see Obama Issues Cybersecurity Executive Order].
Acting in Good Faith
Mistakes happen, and ISPs or infrastructure owners should be protected from lawsuits when they act as agents of the federal government, Alexander said, adding: "They spend a lot of time responding to lawsuits when we ask them to do something."
Alexander said he could imagine a situation in which the government asks an ISP to stop a specified segment of Internet traffic containing a threat signature, which the government later realizes it mischaracterized. Under existing law, he said, the ISP could be sued for damages if the disruption of traffic causes another business financial harm.
"It's in that venue that we have to give them immunity from those kinds of actions," Alexander said. "I'm not talking about giving them broad, general immunity. When they're dealing with the government in good faith in these areas, we should protect them for what we're asking them to do."
Legislation to give infrastructure owners such protections, the Cyber Intelligence Sharing and Protection Act, was reintroduced in the House last month [see Lawmakers to Introduce New Version of CISPA]. Some CISPA critics have said they believe some infrastructure owners could use the protections in the bill to counter lawsuits that have nothing to do with cyberthreat information sharing with the government.
Obama last year threatened to veto a similar version of CISPA, in part, because of concerns that the bill could threaten the privacy of citizens [see Obama Threatens to Veto Cybersecurity Bill]. The administration has not yet taken a position on the bill this year.
The E-ZPass Parallel
Alexander didn't mention CISPA in his testimony, but said concerns over privacy are misplaced. He provided this analogy to explain why he believes sharing of classified information won't expose citizens' private information:
"Think of this as going up to New York City on the New Jersey Turnpike; the E-ZPass would see a car going by. We're telling the Internet service providers that if you see a red car, tell us that you saw a red car, where you saw it and where it's going. In cyberspace, it would be that they saw this significant event going from this Internet address to the target address, and they could tell [so] at network speed and they could stop that traffic. ... That does not get into the content of those communications. I think it's absolutely important for people to understand: We're not asking for content. We're asking for information about threats. Think about that as metadata."
Alexander gave another reason for the need for information sharing legislation: It would be impractical for the government to replicate the work of the ISPs. "Government could not easily scale to what the Internet service providers can do," he said. "It would be very costly, very inefficient. So we're asking industry to do that."
DoD Not in Best Position to Mitigate DDoS Attacks
The cyber commander also testified it was not the military's role to defend American financial institutions and other organizations against DDoS attacks, at least in their current iterations, when these digital assaults are more of a nuisance than a vehicle to cause catastrophic harm to the economy.
"Those types of attacks are probably best mitigated by the Internet service providers," Alexander said. "The issue that we're weighing is: When nuisance become a real problem, when are you prepared to step in for that?"
That, he said, is a matter the Obama administration is mulling.
Meanwhile, he doesn't see DDoS attacks going away. "What we're seeing with the banks today, I'm concerned it's going to grow significantly throughout the year." [See DDoS Attacks Spread Beyond Banking.]