Only one newspaper — the conservative Washington Times — has picked up on the cryptic but crucial conversation yesterday between Rep. James Langevin and General Keith Alexander in a sparsely attended hearing of the House Armed Services Committee yesterday. Langevin (chair of a congressional subcommittee on cybersecurity) asked General Alexander (head of the military’s National Security Agency and chief military leader of the Defense Department’s CyberCommand) about the use of the U.S. military to ensure cybersecurity over “critical infrastructure.”
The conversation sounds possibly innocuous and almost certainly inscrutable unless you keep three pieces of information in your mind:
1. General Keith Alexander is the head of two powerful surveillance agencies of the Defense Department.
2. When James Langevin speaks of “critical infrastructure” regarding cybersecurity, he has made clear in the pasthe is referring not only to the nation’s public transportation and power utilities, but also to the nation’s financial institutions and telecommunications networks.
3. Rep. James Langevin is asking the military what new authorities it would like to be granted in a forthcoming piece of legislation.
Watch the exchange for yourself, about 1 hour and 2 minutes into video of yesterday’s House Armed Services Committee hearing, or read this transcript:
Rep. James Langevin: General, I want to ask you a direct question. If we the nation were to endure a major cyberattack right now, could you defend the nation against that attack? Do you have the authorities to defend the nation against that attack? Obviously, we’re talking about the whole of our cybercritical infrastructure.
As I’ve said, and I know of course the president in his first major address on cybersecurity, the first major world leader to make a major address on cybersecurity, said that our cyberassets, our critical nation assets, these are a national priority to defend them, but my question is again to you, could you defend the nation right now against a major cyberattack? Do you have the authorities that you need?
General Keith Alexander: First, Congressman, thanks for your great support in all the cyberareas, in all that you’ve done over the past years on this, this has been tremendous and we appreciate it. To answer your question directly, it is not my mission to defend today the entire nation. Our mission in Cybercommand is to defend the Defense Department networks. And, as, if we are tasked by either the Secretary or the President to defend those networks, then we’d have to put in place the capabilities to do that. But today we could not.
Rep. Langevin: And what would you need to do that, General?
General Alexander: I think this is what the White House, Congressman, is actually looking at, is how do you form the team to do the mission that you’ve put on the table? How do we develop the team between the Department of Homeland Security, FBI, Cybercommand and others to work as a team to defend the nation in cyberspace, and in that what are the role and responsibility of each member in that team? And then let’s walk through in a wargame — my words — how that would work, and ensure that everybody has the exact authorities and capability to do what needs to be done to protect the country. Those are the steps that we’re going through. It’s under the leadership of the White House right now. Howard Schmidt, his folks are leading that to look at this. We get to participate in that, to put forward our ideas on how the country could be protected — specifically, the government, the government networks, and what I’ll call critical infrastructure.
Rep. Langevin: Well, let me press you a little bit more. If America in fact experienced a serious high-profile attack today against our critical infrastructure — perhaps our power grid, banking sector, transportation — what are the rules for self-defense in cyberspace? Can you walk us through how such an attack would occur? And how would the U.S. government work to stop it and ensure the security of our citizens?
General Alexander: That’s a great question. OK, to be very direct on it, if an attack were to go against the power grids right now, the defense of that would rely heavily on commercial industry to protect it. If commercial industry had the signatures and the capabilities in place to weed out that attack, then they would be successful. The issue that you’re really getting to is what happens when an attacker comes in with an unknown capability. That unknown capability would have the ability to shut down either the banks or the power grid if it got through. So to defend against that we need to come up with a more, in my terms, a more dynamic or active defense that puts into place those capabilities that we need to defend in a crisis. That’s what we are working right now in the Department to do to ensure that that works, and actually working closely with the Department of Homeland Security and the White House to show how that could be done. And they are looking at that as a model to put in place, and now trying to assure that they have the authority to do that, looking at how that would all be created, and if they don’t have that how they would bring it forward to you.
In context, the meaning of this conversation is clear: the Obama administration is working on a plan requiring new powers for the U.S. military. Langevin hopes to shepherd a bill providing these new powers through Congress. The new powers involve the extension of military control over public transportation, power plants, banks and telecommunications networks.
That’s a big deal. Pay attention.