The Pentagon is rewriting the book on how it defends against and possibly responds to cyberattacks against the United States, the top uniformed officer in charge of the effort told Congress on Tuesday.
Gen. Keith Alexander, head of the new Cyber Command, on Monday shed more light on the Pentagon's plans to draft rules of engagement for fighting in cyberspace.
Alexander first revealed DOD’s plans for the rules during a March 20 hearing of the House Armed Services Emerging Threats and Capabilities subcommittee.
Pentagon officials plan to have the new rules finalized within the next two months, Alexander told members of the Senate Armed Services Committee on Tuesday.
"We have got to bring this [strategy] up to the network age," the Cybercom chief told lawmakers.
The goal, according to Alexander, will be expanding DOD's authority in the cyber realm to give the White House more options on how to respond to a large-scale cyberattack.
"I think that is probably where we will end up," Alexander said.
Panel member Sen. Scott Brown (R-Mass.) pressed Alexander on whether the new rules give the Pentagon "enough legroom" to defend U.S. networks and attack others.
Alexander said his command and DOD "are pushing for what we think we need" to update the department's cyber rules.
The current rules governing cyberattacks were drafted in 2005, under then-Chairman of the Joint Chiefs of Staff Gen. Richard Myers, according to Alexander.
Those rules, the four-star general explained, only applied to internal DOD networks and governed what actions could be taken if those networks were breached.
Since then, those rules have been outpaced by the abilities of U.S. adversaries, particularly North Korea and China, to breach American defense and civilian networks.
Most recently, DOD officials confirmed that a cyberattack against U.S. Internet security firm RSA was carried out by China.
RSA, which provides encryption software to the Pentagon and companies like PayPal, had its security software and codes stolen via a Chinese-led cyberattack, according to Alexander.
The company has been able to bounce back from the breach, rewriting new encryption software for the Pentagon and its customers in the private sector. But the incident is further proof that expanding DOD ties with the private sector is key to any future cyber strategy.
Strengthening those ties, particularly companies linked to U.S. "critical infrastructure" such as financial institutions and public energy works, is a crucial element in the Pentagon's new slate of cyber rules, Alexander said.
That partnership is focused more on information sharing, not carving out a spot inside industry networks for the Pentagon.
"Industry … sees [malware] signatures that government does not see" and vice versa, Alexander said.
That partnership will allow DOD to pre-empt potential attacks, rather than being forced to sit back and wait for a breach to come.
"First, we need to see the attack," Alexander said. "If we can't see the attack, we can't stop it."
The new DOD plan would also look to coordinate more with the Department of Homeland Security (DHS) and the Department of Justice.
DHS would take the lead in coordinating with the private sector and defending against attacks on U.S. networks.
If that attack were proven to come from a foreign source, or if a cyberattack were ordered by the White House, DOD would then take over those cyber operations.
Sen. John McCain (R-Ariz.) slammed that approach during Monday's hearing.
"That's a curious logic … most curious," McCain said of the interagency approach. "You are just describing stovepiping."
Within the intelligence community, "stovepiping" refers to collecting raw intelligence in isolated categories without proper integration. McCain has proposed legislation handing Cyber Command and the National Security Agency control of U.S. cyber operations.
"There is a lot of confusion about who does what," Sen. Susan Collins (R-Maine) said, attempting to quell some of the Pentagon-versus-DHS debate during the hearing.
In response, Alexander warned a heavy intelligence or military presence in non-military networks "sends the wrong message."
The interagency approach to cybersecurity and cyber warfare can work, he added, "without having us in the middle of the network."
However, the four-star general reiterated that if an attack does cross the line from homeland defense into the realm of foreign threats to national security, it falls to the military and intelligence community to take the lead.
This story was first posted at 12:43 p.m. and has been updated.