The key to this is crafting legislation that protects privacy while facilitating sharing between intelligence agencies, Internet Service Providers (ISPs), and critical infrastructure, explained Alexander at the two-day event at Georgia Tech University.
"We don't need to read communications," he said. "We just need the Internet Service Providers and the companies to say, '…you told me to tell you if I saw this coming, I see this coming, I can tell you at network speed, and I can do it in a metadata-like format that eliminates the privacy information and gets you what you need to protect the country and what we need to protect our civil liberties and privacy.'"
"We can do both," he said.
Key to this, he said, will be both liability protections for businesses that share information – a sticking point in conversations about cybersecurity legislation during the past year – as well as the development of standards.
"Where this gets really hard, is when we say now we want to set standards and reporting vehicles," Alexander said. "The first thing everyone gets nervous about is you are going to set up a framework that's going to be a bureaucratic nightmare."
The Executive Order on cybersecurity signed last month by U.S. President Barack Obama is a good first step in addressing this issue because it allows the government to start working with industry sectors to develop the best approach for getting them to "the right level of network security" as well as incentivize improvements, Alexander said.
Protecting critical networks also means developing true situational awareness in cyberspace, but that remains elusive, he said.
"You've got to see what’s going on in the network to understand what the adversary is trying to do to you," he noted. "Right now we defend it by saying I think they are going to come in here, I have a way of patching vulnerabilities I'll do that and wait and see what happens. Most of the folks who get into the networks are in there for six- to nine months before they're discovered. I would suggest to you all that's not a great way to secure your networks."
Further complicating the issue is that many organizations do not have defensible architectures, he said.
"The Defense Department has 15,000 enclaves," he said. "Each one separately guarded, each one administrated by a group of folks, and each one then applies patches based on the needs of that one that are pushed out through a whole mechanism that takes forever in cyber-terms."
"When you think about why does it take so long, 'well I'm not sure how it's going to impact this system; we're going to do this, and then I've got to do this'…it's because of our architecture."
Closing the exploitability window – the time period between when an exploit for a vulnerability is discovered and a patch is deployed – is key for security, he said.
"You want to make that time zero," he said. "We've got to come up with an architecture that does that. I think thin virtual cloud is a step in that direction."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.