The U.S. military is ill-prepared for waging cyber warfare and needs to bolster defenses against the growing threat of cyber attacks against both military systems and private infrastructure, the commander of U.S. Cyber Command told Congress on Thursday.
"Those attacks are coming and I think those are near term and we're not ready for them," said Army Gen. Keith Alexander, head of Cyber Command and also outgoing director of the National Security Agency.
Alexander, in prepared testimony to the Senate Armed Services Committee, sounded the alarm on the need for better cyber attack and defense capabilities. He said the command’s priorities include setting up a secure "defensible" telecommunications architecture, training cyber warfare personnel, increasing intelligence data on global cyber threats, and clarifying lines of authority for conducting cyber attacks and defending government and private networks.
Cyber Command, currently staffed by 1,100 people, is making progress in all areas, said Alexander, who retires next month. However, he warned that cyber threats are increasing, shifting from temporarily disruptive attacks, to extremely damaging cyber strikes that can destroy data and machines, and potentially threaten the U.S. economy and endanger American lives.
"Despite our progress at U.S. [Cyber Command], I worry that we might not be ready in time," he said. "Threats to our nation in cyberspace are growing."
The main concerns are cyber attacks from nation states such as China or Russia that could create massive power outages in the United States, or an attack on U.S. financial networks, such as stock exchanges and financial institutions, that could cripple the economy.
Asked about the threat posed by Chinese-origin cyber attacks, Alexander sidestepped directly mentioning Chinese cyber warfare capabilities, saying he would only discuss the issue in a closed session.
"We have a lot of infrastructure—electric, our government, our financial networks," he said. "We have to have a defensible architecture for our country, and we've got to get on with that."
Cyber Command also needs to develop methods to prevent adversaries from easily penetrating networks and stealing data, money, and other property, he said.
During a cyber attack, hackers could shut down the power in the Northeast or attack the New York Stock Exchange and damage its data, Alexander said, adding that the financial losses from such attacks could range in the trillions of dollars and potentially cost American lives.
Government computer networks and transportation infrastructure also could be targeted.
Alexander, in his prepared testimony, revealed that the command is grappling with "some key capability gaps in dealing with these increasingly capable threats."
Those who engage in cyber attacks have an advantage over those trying to defend computer networks, and U.S. legacy information systems and some U.S. weapons systems are not "cyber robust" enough, he said.
U.S. military personnel also lack training and readiness needed to confront advanced cyber threats, Alexander added, and military commanders lack confidence about what levels of risk are acceptable in the cyber domain. They also lack a "reliable situational awareness"—military jargon for knowing what is in the battle space, globally or in U.S. military systems, he said.
Command authority for defending networks and conducting cyber attacks also are spread out across the military and U.S. government and cyberwarfare operating concepts are "undefined and not wholly realistic," Alexander said.
U.S. communications system also are vulnerable to attacks, Alexander said, noting that the military need to rapidly develop a "defense in-depth" strategy, including the Pentagon’s new Joint Information Environment, a secure data-sharing network for all military services.
Adm. Cecil D. Haney, commander of the U.S. Strategic Command, which is in charge of Cyber Command, also testified at the hearing that cyber threats are increasing.
"While we have increased our own cyber capabilities, the worldwide cyber threat is growing in scale and sophistication, with an increasing number of state and non-state actors targeting U.S. networks on a daily basis," Haney said.
"Due to cyberspace’s relatively low cost of entry, cyber threats range from state-sponsored offensive military operations and espionage activities, to [violent extremist organizations] intent on disrupting our way of life, to cyber criminals and recreational hackers seeking financial gain and notoriety."
The U.S. supply chain—networks used to purchase goods and services—and critical infrastructure also remain vulnerable to cyber attack.
"Even as we detect and defeat attacks, attribution remains a significant challenge," Haney said.
Haney said plans call for creating 133 "cyber mission teams" staffed by over 6,000 people by the end of 2016. So far 17 teams are deployed in a variety of missions within combatant commands and at Cyber Command headquarters at Fort Meade, Md.