WASHINGTON — To the list of folks skeptical about the military's cyber corps becoming its own service branch, add former NSA and US Cyber Command chief Keith Alexander.
Defense Secretary Ash Carter raised eyebrows during his recent visit to the U.S. Cyber Command headquarters in Maryland when he said, "There may come a time when it makes sense," in response to a question.
"And I think you have to look at this as the first step in a journey that may, over time, lead to the decision to break out Cyber the way that you said the Army Air Corps became the U.S. Air Force, the way Special Operations Command was created ... with a somewhat separate thing, although that still has service parts to it," he said.
But Alexander, speaking at an American Enterprise Institute event Friday focused on Iranian-backed cyber attacks, said he favors a go-slow approach, training forces, and refining policies and the rules of engagement first.
"There were many who espoused a separate service," Alexander said. "In 2007, we laid out in a document, what's the right thing to do evolve Cyber Command. We looked at a sub-unified, a unified, a functional command and a separate service. It was my opinion that we go to a unified-functional, similar to SOCOM [US Special Operations Command].
"I was not in synch on taking it to a separate service for a couple of reasons," he said. "First, I thought that the forces needed to be embedded in tactical configurations, and if they needed to do that, the services should be involved. So the second part is this is a new area, there is no need to jump. Let's take a step to the unified and functional, see how it is."
The Department of Defense retains a role against cyber attacks, Alexander said, because "the distance between a cyber attack and a physical attack is short." Industry, on the other hand, should not have a free hand to conduct attacks because they might, "get the wrong bad guy" or "start a deeper war," with an enemy.
"That should be the administration's responsibility, and if you follow that logic, then government has a role and a responsibility to do that," Alexander said.
The next logical step is for the government to establish a venue for industry to share information when it is attacked, instead of the government constantly monitoring corporate networks — but it must share information in real time, much like the nation's air traffic control or missile defense systems.
Transparent information-sharing agreements must be established, ones that exclude personal information, such that the the government can respond if a Sony or other company is being attacked. If an individual bank is attacked, for instance, it can share information that helps the government respond.
As Congress debates cyber legislation, Alexander urged its passage, so long as it is flexible enough to account for technological change and is not overly prescriptive. The legal framework must also include safeguards that limit the liability for companies as they follow government guidance.
Asked whether the US has the technical tools to deter attacks, given their massive volume and frequency, Alexander acknowledged that deterrents have a limited effect when nation-states — and he mentioned Iran and Russia doing this earlier — view cyber attacks as a symmetric response to economic sanctions.
In the session, Alexander displayed a sense of humor and quipped at one point that he was better able to speak freely since leaving government. He was asked to weigh in on Wikileaks releasing e-mails from the Sony hack that show its government ties ("Two wrongs don't make a right"), the vulnerability of Wi-Fi wi-fi on airplanes ("We need to ask, 'Can we make it free and more reliable?'"), and the national security danger posed by former Secretary of State Hillary Clinton's use of private servers ("Danger, Will Rogers! [sic])"
In answer to the last, Alexander piled on a few caveats, that he didn't know some specifics in Clinton's case and didn't want to "jump backwards" onto a presidential candidate. Then he said the government should have a policy about storing and protecting communications.
"Actually the rules, looking backward, are too loose," he said. "It's 'what's the best thing to do,' people look at it and that allows them to roll their own. I'm not sure that that's the best. We can do better on defense and come up with better policies."