Defending our nation in cyberspace

Getty Images

Cyberattacks are coming in the near term and America is not ready for them.

We need to pass cybersecurity legislation in order to enable better information-sharing between government and industry. We must be transparent on cyber legislation so the American people will support it. Without legislation, we will not be able to defend the nation from cyberattacks.

Cyberspace has become vital to our economy and the foundation for a growing global community. The many positive benefits of cyberspace include promoting democracy, increasing trade and fostering exchanges on health, education and the environment. At the same time, the critical systems that underpin our nation’s national security and economic activities, as well as our public health and safety systems, are increasingly vulnerable to attacks from criminals, terrorists and other malicious actors. It is going to take a team approach, across all three branches of the U.S. government and an effective partnership with the private sector, to meet this challenge.


Less than two years ago, the president convened his Cabinet and homeland security, defense and intelligence leaders to deal with toxic clouds that spread and contaminated water supplies when unknown hackers remotely sabotaged the networks that operated much of America’s transportation and industrial systems.

That event was just an exercise designed to see how federal, state and local governments could work together and with the private sector to respond to a crisis caused by cyberattacks. It may have seemed far-fetched at the time, but each passing day brings such a scenario closer to reality. Vital systems now suffer daily attacks through cyberspace, and the attacks are growing in number and severity.

Economic theft in cyberspace is widespread. Cyber actors have looted aerospace, financial, information technology, defense, energy and service enterprises around the world. Some of these activities are being conducted on behalf of foreign governments and are directed at U.S. industries with the intent of providing competitive advantage to those countries’ companies and commercial sectors vis-a-vis American companies. Cyber actors have scanned supervisory control and data acquisition systems, which monitor and control plants and equipment, for vulnerabilities and in some cases exfiltrated critical information about system configurations and architectures.

Increasingly disruptive and destructive cyberattacks have occurred against critical infrastructure across the globe. In 2012, the U.S. financial sector suffered massive distributed denial of service (DDoS) attacks beginning that September, continuing off and on for almost a year. Such disruptions once seemed more annoying than dangerous, but the advanced DDoS capabilities that were displayed could degrade even the best protection on the Internet.

Attackers have also shown their determination to inflict physical harm on certain targets. In August 2012, Saudi Arabia’s oil company, Aramco, suffered a large-scale DDoS attack that ran through networks in the United States, inhibiting our ability to provide appropriate warning (indeed, the high traffic volume significantly disrupted the public connectivity to a U.S. telecommunications company). The attackers also launched a virus against the hard drives of more than 30,000 computers at Aramco, overwriting and effectively destroying data.

Many of Aramco’s vulnerabilities also exist in U.S. critical infrastructure networks. A similar attack could incapacitate portions of our energy sector, financial institutions, communication networks and government systems. This could cause financial loss to businesses and consumers, as well as health and public safety risks stemming from lengthy power outages. We saw a real-world example just last month when a destructive attack against a U.S.-based entertainment business shut down its networks for almost a week, costing millions of dollars in remediation expenses and lost income.

Whether or not any particular state intends to inflict such damage on the United States in the foreseeable future, the capabilities to wreak cyber havoc have spread beyond states to actors who lack accountability and perhaps even the skills to calibrate the damage they inflict. The danger of miscalculation is great, which is why we cannot rely solely on efforts to deter major cyberattacks.

The U.S. government alone cannot fully defend American companies and citizens against cyberattacks. Today, upwards of 85 percent of the critical infrastructure in the United States is owned and managed by the private sector. Protecting that infrastructure depends first upon a common understanding of what is happening on the Internet and inside the networks of the companies that own and manage vital systems. No one entity, public or private, yet can grasp holistically all actions and attacks on the networks in real time. In some cases, private network defenders are prohibited from sharing their incident data with the government. The defense of the country’s critical infrastructure requires collaboration across the federal agencies and a government-industry relationship to share information in a real-time manner.

Building upon that shared awareness, our government needs the combined authority of law enforcement and national and homeland security elements that can operate in cyberspace in defense of our nation. Officials with these authorities must be able to act together as a team to discover threats, assess their impact, stop an attack, mitigate harm and create time for the president or delegated authorities to determine appropriate responses.

We in government and in the private sector also need methods to provide meaningful information to network defenders about incoming threats to infrastructure while protecting privacy and civil liberties. Those methods are not in place today.

Legislation is vital to establish a clear legal framework required to fix this. It must include robust safeguards for privacy and civil liberties. It should help private-sector owners and operators defend against some threats on their own networks and, as authorized, on those of their customers. It should enable these entities to share (with each other and with the U.S. government) threat information. Finally, legislation should incentivize the private sector to develop and implement standards to better secure their networks.

Tomorrow is too late. The time to prevent debilitating damage to U.S. critical infrastructure, and the conflict escalation that could follow, is now.

Alexander is director of the National Security Agency and commander of the U.S. Cyber Command.