Cyber Commander Addresses DDoS

Says It's Not Government's Role to Defend Banks

By Eric Chabrow, March 13, 2013.

Credit Eligible

• 
• 
• 
• 

Army Gen. Keith Alexander, who heads the U.S. military's Cyber Command, says it isn't the role of the government to defend American banks against distributed-denial-of-service attacks that have targeted them for the past several months [see New Wave of DDoS Attacks Launched].

See Also: Data Breach Battle Plans for Financial Services

In his testimony before the Senate Armed Services Committee on March 12, Alexander said the military should not defend American financial institutions and other organizations against DDoS attacks, at least in their current iterations, because these digital assaults are more of a nuisance than a vehicle to cause catastrophic harm to the economy.

"Those types of attacks are probably best mitigated by the Internet service providers," Alexander said. "The issue that we're weighing is: When nuisance become a real problem, when are you prepared to step in for that?"

That, he said, is a matter the Obama administration is mulling.

Meanwhile, he doesn't see DDoS attacks going away. "What we're seeing with the banks today, I'm concerned it's going to grow significantly throughout the year." [See DDoS Attacks Spread Beyond Banking.]

Liability Protection

In his testimony, Alexander also said it's vital that Congress enact a law giving the owners of the nation's critical infrastructure, especially Internet service providers, liability protection so they can share cyberthreat information with the government.

On the need for information sharing legislation, Alexander said ISPs are situated to identify cyberattacks before anyone else can, but are reluctant to do so because of a fear they could be targets of lawsuits. "They have the technical capability, but they don't have the authority to share information with us at network speed," said Alexander, who also serves as director of the National Security Agency, DoD's super-secret electronic spy agency. "They need liability protection when they share information back and forth."

President Obama issued an executive order in February that called on the government to share cyberthreat information with critical infrastructure owners, but only an act of Congress can give businesses liability protection to share cyberthreat information with the government and other businesses [see Obama Issues Cybersecurity Executive Order].

Acting in Good Faith

Mistakes happen, and ISPs or infrastructure owners should be protected from lawsuits when they act as agents of the federal government, Alexander said, adding: "They spend a lot of time responding to lawsuits when we ask them to do something."

Alexander said he could imagine a situation in which the government asks an ISP to stop a specified segment of Internet traffic containing a threat signature, which the government later realizes it mischaracterized. Under existing law, he said, the ISP could be sued for damages if the disruption of traffic causes another business financial harm.

"It's in that venue that we have to give them immunity from those kinds of actions," Alexander said. "I'm not talking about giving them broad, general immunity. When they're dealing with the government in good faith in these areas, we should protect them for what we're asking them to do."

Legislation to give infrastructure owners such protections, the Cyber Intelligence Sharing and Protection Act, was reintroduced in the House last month [see Lawmakers to Introduce New Version of CISPA]. Some CISPA critics have said they believe some infrastructure owners could use the protections in the bill to counter lawsuits that have nothing to do with cyberthreat information sharing with the government.

Obama last year threatened to veto a similar version of CISPA, in part, because of concerns that the bill could threaten the privacy of citizens [see Obama Threatens to Veto Cybersecurity Bill]. The administration has not yet taken a position on the bill this year.

The E-ZPass Parallel

Alexander didn't mention CISPA in his testimony, but said concerns over privacy are misplaced. He provided this analogy to explain why he believes sharing of classified information won't expose citizens' private information:

• 1
• 2

Follow Eric Chabrow on Twitter: @GovInfoSecurity