Cyber Questions

Senate Armed Services Committee Ranking Member John McCain (R-AZ) wants some answers from Army Gen. Keith Alexander, the head of the National Security Agency and U.S. Cyber Command.

In a March 29 letter to Alexander, McCain writes:

During your testimony before the Senate Armed Services Committee earlier this week on the roles and responsibilities of U.S. Cyber Command and the National Security Agency in protecting the United States from the threats we face in the cyber domain, you stated unequivocally that the U.S. Government needs no additional authorities to defer and defend against cyber attacks on our nation. Yet, just last November, in remarks at the U.S. Strategic Command Cyber and Space Symposium, you stated that "we have to have more authorities to protect ourselves in cyberspace, we just can't defend." I do not understand what caused you to abandon this latter view, which is consistent with the views of former Vice Chairman of the Joint Chiefs of Staff, Gen. James Cartwright, who asserted that we are "on the bad side of a divergent threat" and must shift from a strategy that focuses 90 percent of our resources on playing defense to one that imposes meaningful consequences to those who look to hold U.S. interests at risk via cyberspace.

A February 27, 2012 article in the Washington Post suggests that the White House cautioned you to refrain from publicly arguing for expanded government authorities related to cyber security and defense. The article quotes an Administration official as saying you were reminded that making statements inconsistent with official Administration policy is "undermining the commander-in-chief." I was very disappointed that your testimony to this Committee appears to have been more heavily influenced by White House policy, rather than your best military and technical advice and expertise.

As I stated at the hearing, I view the inevitability of a large-scale cyber attack as an existential threat to our nation. Therefore, I am deeply concerned by your endorsement of the Administration's proposal to appoint the Department of Homeland Security as the lead agency responsible for ensuring domestic security against cyber attacks. Our vulnerability to cyber attacks will not be remediated by creating additional layers of bureaucracy in an agency already failing in several of its core missions, including aviation security and border control.  I do not understand why you believe DHS can more effectively protect our nation's critical infrastructure better than U.S. Cyber Command or the National Security Agency.

Consequently, McCain wants answers to the following questions:

* What additional authorities do you believe are necessary to defend the United States from a cyberattack initiated by a peer-competitor like China or Russia?

* Which agency within the federal government has the most cybersecurity expertise and is most capable of protecting our critical infrastructure?

* Does the Department of Defense rely on any critical infrastructure that, under the Administration's proposals, would be subject to Department of Homeland Security oversight?

* Can the Department of Homeland Security currently protect our national interest in the cyber realm without NSA involvement?

* Do you believe we are deterring and dissuading our adversaries in cyberspace?

* With respect to imposing requirements on the private sector, if the rate of technological advances outpaces the implementation of performance requirements and regulation, how would imposing additional regulations better protect us from a catastrophic cyber attack?