The U.S. military does not have the trained personnel or the legal authorities it needs to respond to a computer-based attack on America or its allies, and a crisis would quickly strain the force, the Pentagon's cyber commander said Wednesday.
Gen. Keith Alexander, head of the Defense Department's Cyber Command, told Congress that he would give the military a grade of "C" in its ability to protect Pentagon networks, but said things are much better than they were a few years ago and continue to improve.
"We are finding that we do not have the capacity to do everything we need to accomplish. To put it bluntly, we are very thin, and a crisis would quickly stress our cyber forces," Alexander said. "We cannot afford to allow cyberspace to be a sanctuary where real and potential adversaries can marshal forces and capabilities to use against us and our allies. This is not a hypothetical danger."
The U.S. government has said its networks are probed and attacked millions of times a day, and that cyber criminals, terrorists and other nations are getting more adept at penetrating government and private networks to spy, steal critical data or affect critical infrastructure such as the electrical grid.
Alexander's grim assessment of America's abilities to fend off cyber threats was echoed earlier in the day by homeland security officials and analysts.
"Whatever we are doing now is not working," said James Lewis, a cybersecurity expert and senior fellow at the Washington-based Center for Strategic and International Studies. "We need to rethink our approach." He said if an enemy launched a cyberattack, "we are unprepared to defend ourselves."
Homeland Security Department Undersecretary Phil Reitinger told the House Homeland Security Committee that the ongoing budget deadlock will trigger funding cuts and hurt the agency's effort to install the Einstein 3 program across the federal networks. Einstein 3 is a sophisticated system that will detect and automatically block intrusions.
Alexander and James Miller, the principal defense undersecretary for policy, said the Pentagon is working steadily to better harden its networks and work with the administration to figure out what authorities the military needs in order to respond to cyberattacks against the government and critical infrastructure which is generally owned and operated by private companies.
The Pentagon is preparing a cybersecurity strategy, and observers have said it must answer key questions about how the military will define cyber war, describe its offensive operations in cyberspace and lay out the steps it can take in response to an attack.
Miller told members of the House Armed Services Subcommittee on Emerging Threats and Capabilities, that U.S. officials are making progress working with other countries on an international understanding and guidelines for cyber activities, including Russia. But, he said, "we have not had the same level of conversations with China."
U.S. officials have been cautious when talking about the cyber threat from China, but have generally acknowledged that a number of the network intrusions emanate from there, although it is difficult to tell whether they are endorsed or orchestrated by the Beijing government.
The military, said Alexander, does not have the cyber force it needs to defend its networks or to ensure its ability to plan and operate in cyberspace. And he said that other nations have cyber weapons that can cripple infrastructure as powerfully as bomb blasts do.
He pointed to recent events across the Middle East, which show that governments can easily block Internet access in order to disrupt civilian protests.
Alexander warned that all future conflicts around the world will have a cyber aspect to them. He said the U.S. military is prepared to conduct computer-based attacks to protect critical infrastructure or respond to an assault on the homeland or American allies. But, he said, the administration and Congress need to better define what the military can do under certain circumstances, including how and when it can take steps to protect civilian networks.