Richard Hale, the Department of Defense’s deputy chief information officer for cybersecurity, said that his department had begun sharing classified information about cyberdefense with 36 industrial companies deemed to be vital; in return, these companies are expected to share information about any attacks they experience.
Speaking alongside Hale and Plunkett, the Obama administration’s Howard Schmidt said the days of the Internet developing organically and without a centralized imperative to build in security or control channels needed to end. “Let’s not just roll it out like we used to do and then fix the problem,” he said. “We really have to change that around, to give anybody trying to intrude into our systems a harder time. If we don’t do this, we all suffer.”
The Obama administration has tabled legislation that would give the Department of Homeland Security powers to actively monitor the systems of companies operating “critical” infrastructure; and already White House and Department of Homeland Security officials have begun a program of close supervision of companies that operate the U.S. power grid.
However, some politicians and government insiders are beginning to push for the DoD and the NSA to have a greater role. Senator John McCain (R-Arizona) told Congress this month (full statement) that only the NSA and the U.S. Cyber Command, both DoD organizations headed by General Keith Alexander, can protect the United States.
Michael Hayden, a former director of the NSA and CIA, said that many people agreed with McCain that the military, in particular the NSA, should be in charge. “The [NSA] represents too much capacity to be left on the sidelines of this issue.” Like McCain, he said that the NSA should actively monitor the systems of companies operating crucial infrastructure and intervene if an attack were detected.
Ron Diebert, director of the Canada Centre for Global Security Studies and leader of the team that discovered the GhostNet cyber attack on the Dalai Lama and various embassies in China in 2009, expressed concern at the DoD’s growing influence. Introducing more centralized control of Internet infrastructure would send the wrong message to countries like Russia and Syria, which are already using cyberattacks or censorship on their own citizens, he said, adding that the Internet could become fragmented and locked down rather than open.
Hayden agreed that there was a risk that the “Internet’s main principles” could be damaged, but said waiting for nonmilitary parts of the government to develop the necessary expertise was too risky. “A reluctance to grapple with these issues will cede the field to others that intend to do us harm. Something catastrophic will happen and then we’ll overreact.”
Jim Dempsey, vice president for public policy at think tank the Center for Democracy & Technology, said militarizing the Internet would be a mistake. “How did we get to this point where the most effective resources to secure the Internet’s centrality to our society are in a top-secret military agency? Saying there’s only one place to go will pervert our technology and society.”