Alexander Makes Case for Info Sharing Law

Cyber Commander Contends Privacy Concerns are Misplaced

By , March 13, 2013.
Alexander Makes Case for Info Sharing Law

The U.S. military's Cyber Command commander, Army Gen. Keith Alexander, says it's vital that Congress enact a law giving the owners of the nation's critical infrastructure, especially Internet service providers, liability protection so they can share cyberthreat information with the government.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

In his testimony before the Senate Armed Services Committee on March 12, Alexander also said it wasn't the role of the government to defend American banks against distributed-denial-of-service attacks that have targeted them for the past several months [see New Wave of DDoS Attacks Launched]

On the need for information sharing legislation, Alexander said ISPs are situated to identify cyberattacks before anyone else can, but are reluctant to do so because of a fear they could be targets of lawsuits. "They have the technical capability, but they don't have the authority to share information with us at network speed," said Alexander, who also serves as director of the National Security Agency, DoD's super-secret electronic spy agency. "They need liability protection when they share information back and forth."

President Obama issued an executive order in February that called on the government to share cyberthreat information with critical infrastructure owners, but only an act of Congress can give businesses liability protection to share cyberthreat information with the government and other businesses [see Obama Issues Cybersecurity Executive Order].

Acting in Good Faith

Mistakes happen, and ISPs or infrastructure owners should be protected from lawsuits when they act as agents of the federal government, Alexander said, adding: "They spend a lot of time responding to lawsuits when we ask them to do something."

Alexander said he could imagine a situation in which the government asks an ISP to stop a specified segment of Internet traffic containing a threat signature, which the government later realizes it mischaracterized. Under existing law, he said, the ISP could be sued for damages if the disruption of traffic causes another business financial harm.

"It's in that venue that we have to give them immunity from those kinds of actions," Alexander said. "I'm not talking about giving them broad, general immunity. When they're dealing with the government in good faith in these areas, we should protect them for what we're asking them to do."

Legislation to give infrastructure owners such protections, the Cyber Intelligence Sharing and Protection Act, was reintroduced in the House last month [see Lawmakers to Introduce New Version of CISPA]. Some CISPA critics have said they believe some infrastructure owners could use the protections in the bill to counter lawsuits that have nothing to do with cyberthreat information sharing with the government.

Obama last year threatened to veto a similar version of CISPA, in part, because of concerns that the bill could threaten the privacy of citizens [see Obama Threatens to Veto Cybersecurity Bill]. The administration has not yet taken a position on the bill this year.

The E-ZPass Parallel

Alexander didn't mention CISPA in his testimony, but said concerns over privacy are misplaced. He provided this analogy to explain why he believes sharing of classified information won't expose citizens' private information:

"Think of this as going up to New York City on the New Jersey Turnpike; the E-ZPass would see a car going by. We're telling the Internet service providers that if you see a red car, tell us that you saw a red car, where you saw it and where it's going. In cyberspace, it would be that they saw this significant event going from this Internet address to the target address, and they could tell [so] at network speed and they could stop that traffic. ... That does not get into the content of those communications. I think it's absolutely important for people to understand: We're not asking for content. We're asking for information about threats. Think about that as metadata."

Alexander gave another reason for the need for information sharing legislation: It would be impractical for the government to replicate the work of the ISPs. "Government could not easily scale to what the Internet service providers can do," he said. "It would be very costly, very inefficient. So we're asking industry to do that."

DoD Not in Best Position to Mitigate DDoS Attacks

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE St. Louis Fed Confirms DNS Hijacking

The Federal Reserve Bank of St. Louis says its DNS settings were hacked, and visitors redirected to...

Latest Tweets and Mentions

ARTICLE St. Louis Fed Confirms DNS Hijacking

The Federal Reserve Bank of St. Louis says its DNS settings were hacked, and visitors redirected to...

The ISMG Network