DOD vs. DHS: Who should mind the US' cyber defense?

Arizona Republican Sen. John McCain said in budget hearings March 27 that he is dissatisfied with the Defense Department’s limited role in defending cyberspace and criticized the Homeland Security Department’s ability to oversee civilian cybersecurity.

“Most of us who have been through an airport have no confidence in the technological capability of the Department of Homeland Security,” he said.

With $3.4 billion requested for fiscal 2013, cybersecurity is one of the few areas of expanding investment in an otherwise lean DOD budget, Army Gen. Keith Alexander, commander of the U.S. Cyber Command and director of the National Security Agency, told the Senate Armed Services Committee.

Related coverage:

Lawmakers strum notes on dueling cyber bills 

Alexander called cybersecurity a team sport in which DOD cooperates with DHS and the FBI. He said the Cyber Command’s primary responsibility is to protect DOD networks and respond to attacks from outside U.S. borders, while DHS has responsibility for protecting civilian infrastructure in the U.S.

The hearing on the fiscal 2013 budget requests for the U.S. Strategic and Cyber Commands became a duel over opposing views of how the nation’s cyber defense should be structured, with McCain, the committee’s ranking Republican, maintaining that DOD should be given complete responsibility.

McCain said the idea that DHS should oversee the security of civilian and privately owned networks was “most curious” and called the separate roles of the departments “stovepipes at the ultimate.”

Sen. Joseph Lieberman (I-Conn.) defended the DHS role, saying that the teamwork approach does not create siloed missions but relies on cooperation and information sharing.

McCain and Lieberman have introduced competing cybersecurity bills that underscore their different approaches. Lieberman’s Cybersecurity Act of 2012 (S. 2105) is a comprehensive bill that would give DHS authority to oversee minimum security requirements for designated privately owned critical infrastructure. McCain’s Secure IT Act (S. 2151) focuses only on enabling information sharing between the public and private sectors and includes no role for DHS and no security requirements for private infrastructure.

Lieberman dismissed criticism from McCain that his bill would create a regulatory bureaucracy. “Shame on us if we look at this as business regulation,” he said. “This is cybersecurity.”

One area of agreement in the hearing was the importance of cybersecurity, which Alexander and Air Force Gen. C. Robert Kehler, commander of the U.S. Strategic Command, called one of the most pressing threats to national security. Alexander called the theft of intellectual property from U.S. defense contractors by China “astounding.”

Kehler agreed that the theft of civilian intellectual property is a threat to national security but said that a military response to online espionage currently is not an option for the United States. “Using the rest of Stratcom would be out,” he said. The solution is to make such theft as difficult as possible. “Our intellectual property is not well protected, and we can do a better job of protecting it.”

McCain criticized DOD’s cyber strategy as too dependent on defense and “unsuccessful in dissuading cyber aggression.”

Although not advocating an offensive strategy for cyberspace, Alexander said that U.S. cyber defense needs to become more proactive. “Today we are in the forensic mode,” he said. “I think we should be in the prevention mode.”

He said the Cyber Command can do this with increased cooperation with civilian agencies and with the private sector. The military needs visibility into not only its own networks but global networks outside its control, and this visibility should come from the networks’ operators rather than Cyber Command or the NSA, he added.

“I do not believe we want the military inside our networks, watching it,” he said.

Alexander recommended expanding the current Defense Industrial Base pilot program, in which DOD and NSA supply information, including threat signatures, to selected defense contractors in exchange for information gathered from contractors’ systems.

DIB is being expanded, but a report on the program done early in the pilot phase by Carnegie Mellon University found that NSA provided few signatures to private partners that the companies did not already have and that the companies were able to identify threats without the signatures using tools unknown to NSA.

Alexander acknowledged early shortcomings in DIB but said “that doesn’t mean we can’t do better,” and that communication between DOD and its private partners has improved because of the program.