The U.S. government and the private sector lack a common operating scheme for detecting cyberthreats, leaving the country ill-equipped to defend against nation-state hackers, former National Security Agency Director Keith Alexander told lawmakers Wednesday.
“We can’t see … other nations attacking us,” the retired general and first head of U.S. Cyber Command said at a House Armed Services Committee hearing. “As a consequence, we have limited abilities to actually defend our nation at network speed.”
Nation-state-linked hacking groups have flexed their muscles in recent months. The most recent shot across the bow came last month, when the Department of Homeland Security warned that Russian government hackers were collecting information on industrial control systems used in critical U.S. energy sectors.
“We should expect that those countries we have disagreements with will use cyber to attack us. And we’re not ready,” Alexander said at the hearing, which served as brainstorming session ahead of an annual defense bill that helps shape cybersecurity policy.
During the hearing, Alexander and two former Homeland Security secretaries — Jeh Johnson and Michael Chertoff — weighed in on why, almost a decade after the inception of U.S. Cyber Command, there is still not a clear framework for offensive operations within government.
The U.S. government still hasn’t “firmed up a doctrine and a strategy for how to respond” to cyberthreats, Chertoff said. Lawmakers and U.S. officials have long echoed that grievance, despite policy documents like the recent U.S. Cyber Command “vision” for cyberspace.
Alexander said the U.S. military still lacks clear “rules of engagement” in when to launch hacking operations to counter an adversary.
“You need rules of engagement that say, ‘If I see an attack that is going to destroy our energy sector, our finance sector, or something, and I’ve got 60 seconds to act, you want that person to do the right thing.”
The presumptive next NSA director, Lt. Gen. Paul Nakasone, recently told the Senate Armed Services Committee that the framework for conducting offensive capabilities, Presidential Policy Directive 20, is still “a work in progress.”
For his part, Johnson said the level of public-private information sharing is incommensurate with the threat, despite a 2015 law offering companies liability protections for sharing data.
“I’ve been disappointed that not more entities in the private sector are willing to share information with the Department of Homeland Security because they’re concerned that it will go public, it will be compromised in some way,” Johnson told lawmakers, adding, “That’s a real problem.”
Alexander also urged the U.S. to commit more resources to quantum computing and artificial intelligence. “The country that is the leader in those two technologies will be the future superpower,” he said. “That needs to be us.”