NSA Director Says Agency Should Not Monitor Private Networks

The hysteria in Washington regarding the comprehensive infiltration of U.S. government and civilian networks by China has gotten to the point now that the director of the National Security Agency is saying in open Congressional hearings that his agency, the U.S. Cyber Command and others should be presenting the White House with recommendations for non-cyber options for retaliation against Chinese hackers.

NSAThe hysteria in Washington regarding the comprehensive infiltration of U.S. government and civilian networks by China has gotten to the point now that the director of the National Security Agency is saying in open Congressional hearings that his agency, the U.S. Cyber Command and others should be presenting the White House with recommendations for non-cyber options for retaliation against Chinese hackers.

Gen. Keith Alexander, the director of both NSA and the Cyber Command, said in a hearing of the Senate Armed Services Committee Tuesday that U.S. officials are “seeing a great deal of Department of Defense related equipment stolen by the Chinese. We do see that from defense industrial base companies throughout.” Asked by members of the committee what the agencies responsible for defending the country’s networks could do to prevent these attacks, Alexander said it needed to start with some simple steps.

“The first thing that strikes my mind, the most important thing is to make it more difficult for the Chinese to do what they’re doing,” Alexander said. “Our intellectual property isn’t well-protected and we could do a better job protecting it. We need to build our defenses and have options that could stop it. The president and the secretary [of defense] need options to stop it. Our responsibility jointly is to say here are the options you can now take to stop it, and depending on the severity, here’s what we would recommend, cyber and other options.”

Alexander didn’t specify what those other options might be, but joked that “I suppose using the rest of STRATCOM would be out”, referring to the military’s strategic command. What Alexander did not joke about, though, was the extent of the attacks that he said Chinese hackers have been executing against U.S. military and private networks. He cited the attack on RSA last year as one example of these operations, and said that the successful operation against the security vendor was an indication of how good the Chinese are at their craft.

“The ability to do it against RSA is such a high-order capability, RSA being one of the best, that if they can do it against RSA, it makes most of the other companies vulnerable,” Alexander said.

But, despite what Alexander and others see as a threat from nation states, hacktivist groups and others that is growing by the day, Alexander said he is not in favor of putting the NSA or any other federal authority in charge of securing private networks. Proposals along those lines have surfaced from time to time in the last few years and have drawn sharp criticism. 

“We are seeing increased exploits into government agencies and the theft of intellectual property is astounding,” he said. “I am not talking about putting the NSA or military into networks to see attacks. We have to work with our partners. We think industry can do that and it’s the right first step. We don’t want the NSA or the military in our networks.”

Suggested articles

Discussion

  • Katherine Anthony on

    I was under the impression (which could be wrong) that military contractors are required to meet certain physical access restriction requirements in order to get and keep their contracts. It doesn't seem unreasonable for the military to demand they meet network security requirements as well and be subject to random audits. Visa and Master Card already require card processors to meet the PCI DDS standards (as woefully inadequate as they are). The most important thing is that they are meaningful standards (i.e. actually capable of preventing an attack), and they are tested regularly. The military could even be nice and keep consulting staff on hand to help contractors meet those standards. That way the private companies are in full control of their networks, but aren't losing valuable R&D research.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.