Risk
9/23/2010
09:21 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber Command Director: U.S. Needs To Secure Critical Infrastructure

General Keith Alexander says the new U.S. Cyber Command will work to protect the nation's key industries and defense networks from devastating cyber attacks.

The command is collocated at Maryland's Fort Meade with the National Security Agency, which Alexander also leads. Alexander characterized the collocation as critical to Cyber Command's success, since NSA can provide both the technical talent key to protecting defense networks and the intelligence key to helping attribute attacks to particular people, organizations or nations.

Each military service has a unit that will support Cyber Command's mission. Among them, the Army Forces Cyber Command will reach full operating capability along with U.S. Cyber Command on October 1, and the 24th Air Force recently passed an inspector general audit of its own operating capability and is thus well on its way to full capability as well.

Alexander said that he has done some scenario walkthroughs with the Department of Defense, the White House and other federal agencies, noting that from a military perspective, he likes to run wargames to better understand capabilities and authorities. "I don't want to fail in meeting the expectations of the American people, the White House and Congress when something happens in cyberspace, and they say, 'well, where was Cyber Command on this?'"

In fact, U.S. Cyber Command was born out of decisions made in the aftermath of Operation Buckshot Yankee, the military's 14-month response to a worm that spread on defense networks via flash drive in 2008, exfiltrating military information along the way to what Pentagon leaders, including Alexander, say was a foreign nation state. "We've got to do a better job at defending [our networks], and that's why we put U.S. Cyber Command together," Alexander said. Cyber Command's budget was about $120 million this fiscal year, and will be about $150 million in fiscal 2011, mostly going to contracts.

More broadly, Alexander applauded efforts underway in Congress and the White House to look at how laws and policy need to be changed to address today's cybersecurity problems. "The laws we did 35 years ago are laws now that we need to update," he said, noting that legal and policy changes will likely need to go through revisions to get them just right, and that explaining the changes to the American people will be a key part of the process. "We can protect civil liberties and privacy and still do our mission."

"This is one of the most critical problems our country faces," Alexander said. "We're losing money today, and there is a real probability in the future this country will be hit by a destructive attack. We need to be ready for it."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6646
Published: 2014-09-23
The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6647
Published: 2014-09-23
The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6648
Published: 2014-09-23
The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6649
Published: 2014-09-23
The MyBroadband Tapatalk (aka com.tapatalk.mybroadbandcozavb) application 3.9.22 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6650
Published: 2014-09-23
The NextGenUpdate (aka com.tapatalk.nextgenupdatecomforums) application 3.1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio