Risk
9/23/2010
09:21 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber Command Director: U.S. Needs To Secure Critical Infrastructure

General Keith Alexander says the new U.S. Cyber Command will work to protect the nation's key industries and defense networks from devastating cyber attacks.

The command is collocated at Maryland's Fort Meade with the National Security Agency, which Alexander also leads. Alexander characterized the collocation as critical to Cyber Command's success, since NSA can provide both the technical talent key to protecting defense networks and the intelligence key to helping attribute attacks to particular people, organizations or nations.

Each military service has a unit that will support Cyber Command's mission. Among them, the Army Forces Cyber Command will reach full operating capability along with U.S. Cyber Command on October 1, and the 24th Air Force recently passed an inspector general audit of its own operating capability and is thus well on its way to full capability as well.

Alexander said that he has done some scenario walkthroughs with the Department of Defense, the White House and other federal agencies, noting that from a military perspective, he likes to run wargames to better understand capabilities and authorities. "I don't want to fail in meeting the expectations of the American people, the White House and Congress when something happens in cyberspace, and they say, 'well, where was Cyber Command on this?'"

In fact, U.S. Cyber Command was born out of decisions made in the aftermath of Operation Buckshot Yankee, the military's 14-month response to a worm that spread on defense networks via flash drive in 2008, exfiltrating military information along the way to what Pentagon leaders, including Alexander, say was a foreign nation state. "We've got to do a better job at defending [our networks], and that's why we put U.S. Cyber Command together," Alexander said. Cyber Command's budget was about $120 million this fiscal year, and will be about $150 million in fiscal 2011, mostly going to contracts.

More broadly, Alexander applauded efforts underway in Congress and the White House to look at how laws and policy need to be changed to address today's cybersecurity problems. "The laws we did 35 years ago are laws now that we need to update," he said, noting that legal and policy changes will likely need to go through revisions to get them just right, and that explaining the changes to the American people will be a key part of the process. "We can protect civil liberties and privacy and still do our mission."

"This is one of the most critical problems our country faces," Alexander said. "We're losing money today, and there is a real probability in the future this country will be hit by a destructive attack. We need to be ready for it."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9676
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

CVE-2014-9682
Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

CVE-2015-0655
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

CVE-2015-0884
Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

CVE-2015-0885
Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.