US Cyber Command chief warns of rising cyberattacks on banks
In his opening remarks, Senate Armed Services Chairman Carl Levin (D-Mich.) raised concerns about reports of China hacking into the computer systems of American companies and called for the U.S. and its allies to start “imposing costs and penalties on China for this behavior.”
“I think there is a consensus here in the Congress that this has got to stop and we’ve got to find ways of preventing it,” Levin added.
During his testimony, Alexander didn’t publicly divulge much about the intelligence community’s ability to determine which Chinese organizations are stealing intellectual property, and which Chinese companies are receiving this proprietary information. When asked by Levin, the four-star general said the intelligence community “has increased its capabilities in this area significantly in the last seven years.”
But the Cyber Command chief stressed that the U.S. needs to clamp down on this intellectual property theft, warning it will ultimately “hurt our nation significantly.”
“For the nation as a whole, this is our future. This intellectual property, from an economic perspective, represents future wealth and we’re losing that,” Alexander said.
During his testimony before the committee, Alexander rarely made mention of China. But just a day earlier, Tom Donilon, the president’s national security adviser, urged China to crack down on hackers within its borders who are stealing intellectual property from American companies. It was the most direct comment an administration official has made on China’s hacking campaigns to date.
Following the hearing, Alexander told reporters that he agreed with Donilon’s remark, saying “it’s absolutely on mark.”
To respond to the rising cyber threat facing the U.S., Cyber Command is developing three sets of teams to defend the U.S. cyberspace. Alexander emphasized that one these teams — known as the “defend the nation team” — would have offensive capabilities that “the Defense Department could use defend the nation if it were attacked in cyberspace.”
Levin said the Armed Services Committee has previously highlighted the slow progress the Defense Department and Cyber Command has made on crafting “effective, mature policy, strategy, rules of engagement, doctrine, roles and missions, and command and control arrangements.” However, Levin said its efforts appear “to be picking up steam,” noting that the Joint Staff will soon issue its first-ever document “covering cyber doctrine” and rules of engagement for military commanders.
Alexander urged Congress to pass legislation that would give companies legal cover from lawsuits if they share information about cyber threats spotted on their computer networks with the government.
“They don’t have the authority to share that information with us at network speed,” Alexander said, which he argued is key to thwarting cyberattacks.
On the other hand, the legislation should also make it easier for the government to relay classified data about forthcoming cyber threats and attacks to companies so they can safeguard their computer systems and networks, he argued.
Alexander stressed that the government is not interested in receiving the “content of communications,” only information about online threats, from companies. Civil liberties and privacy groups have argued that cyber information-sharing legislation should be narrowly tailored so companies cannot hand over streams of people’s personal information and other electronic communications.
A House bill put forward by Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.) this year aims to remove the legal hurdles that prevent government and industry from sharing data about online threats with one another in real time.
The bill, the Cyber Intelligence Sharing and Protection Act, would allow companies to share this data with the Department of Homeland Security and the intelligence community, including the National Security Agency. Civil liberties groups have come out fiercely against the bill, saying it lacks sufficient privacy protections.
The Senate plans to return to its work on cybersecurity legislation this year but has yet to put forward a bill. At the hearing, Sen. Lindsey Graham (R-S.C.) said he is working with Sen. Sheldon Whitehouse (D-R.I.) on a measure that would identify critical infrastructure in the U.S. and allow industry to come up with a set of cybersecurity best practices. Companies operating critical infrastructure would receive liability protection if they follow these practices, Graham said.