While the Pentagon and other government security agencies should be prepared to share data on cyber security issues with private companies, direct government takeover of civilian networks is a potentially dangerous move during times of cyber crisis, a group of cyber experts representing private industry told lawmakers today.
All information owners should take the necessary steps to secure their own networks, they said. But during massive cyber attacks the Pentagon should make certain information available to the private companies who operate critical infrastructure such as the national electric grid, said Gerry Cauley, CEO of the North American Electric Reliability Corporation (NERC) during a Feb. 10 House Armed Services emerging threats and capabilities subcommittee hearing on DoD's role in cyber security.
Only if private companies are overwhelmed by a massive cyber event or an electromagenetic pulse blast, should the military be brought in to "stop the bleeding," added Cauley. Still, a direct government takeover of a network could be dangerous, especially if the government agency does not know all the implications such a move could have on critical infrastructure like the national electric grid, cautioned Cauley.
He was joined by Gregory Nojeim of the Center for Democracy and Technology who said the Pentagon's formidable cyber assets should be used in a "supportive role, for example, it should be supporting the efforts of the Department of Homeland Security to work with those private entities to secure their systems. Cyber Command and NSA are going to have information and expertise that will be useful and the important thing will be to loose-it and to access it and to get it to DHS and these other entities" so they can fight cyber attacks all while ensuring the free flow of information that is key to the web's success.
However, this "robust" information sharing should not evolve into a situation where the government conducts routine surveillance of all web traffic or requires mandatory identification for everyone online, added Nojeim.
Still, "it's not clear where all the responsibilities lie and where the authorities are" for all the various government agencies who could assist in responding to an attack on infrastructure such as the electric grid, added Cauley.
This matter the overall theme of the hearing, with subcommitte chairman Mac Thornberry (R-TX) saying:
If a formation of planes or hostile-acting ships came barreling toward a factory or refinery in the U.S., we know pretty well what we expect the military to do. They may try to identify who they are and what they intend. They may try to divert them or shoot them down, but the bottom line is that we expect our military to protect us from threats we cannot handle on our own.
But what do we expect—or should we expect—if a bunch of malicious, or potentially malicious, packets come barreling toward that same factory or facility in cyber space? And then the question will be whether the Department of Defense or the federal government is able and is authorized to do what we expect
Figuring out who should respond to various cyber attacks is a lingering problem due to the fact that determining when an attack is happening, the type of attack and who is executing it can be extremely difficult. Thus, complicating efforts to choose the correct response to the attack from the proper agency. For example, does the military have the authority to go after an unidentified attacker that is crippling our banking system or is that up to DHS or the banking and IT sector?
This diffuculty in attributing who has attacked means that the government and private industry must work to ensure that information systems are redundant enough to work or fight through serious attacks, added Shari Pfleeger of Dartmouth College.