Friday, May 7, 2010 saw an important event in the history of the Internet. On that day, the U.S. Senate confirmed by voice vote the promotion of NSA chief, Lt. Gen. Keith Alexander, to the rank of General and appointment as the first commander of the U.S. Cyber Command, which by most accounts will have the mission of not only defending U.S. military networks, but also conducting offensive cyberwar operations. Gen. Alexander’s confirmation paves the way for U.S. Cyber Command (USCYBERCOM) to become fully operational by October 2010. His confirmation also marks the failure of public cyberwar policy discourse in the United States.
Tim Stevens contacted me the other day and suggested that I write something about Gen. Alexander’s promotion and confirmation. Indeed, it seems to be an event calling out for some kind of comment. But what is there to say? For those of us like Mr. Stevens and myself, the confirmation of Alexander seems to mark an irreversible step in the militarization of cyberspace, regardless of the Pentagon’s claims to the contrary. But I think it is also important to note that Alexander’s confirmation marks an important failure of American public policy discourse about cybersecurity and cyberwar.
One of the few things that I have agreed with as I have read through Richard Clarke’s recent, hype-filled book, Cyber War: The Next Threat to National Security and What to Do About It, is his opening assertion that “We created a new military command [USCYBERCOM] to conduct a new kind of high-tech war, without public debate, media discussion, serious congressional oversight, academic analysis, or international dialogue” (p. x). Clarke bills his book as an attempt to “stimulate” the “open, public analysis and discussion of cyber-war strategy” that he says is lacking (p. xii). Though I do not think that the book has thus far succeeded in this goal (perhaps the topic of a future post), I can agree with Clarke’s diagnosis of the problem and the suggestion for more “open, public analysis and discussion.”
That is why the process that has led to Gen. Alexander’s confirmation is so disappointing. His confirmation hearing marked a key moment in which we had an important opportunity to approach the kind of open, public analysis and discussion for which Clarke has called. We had a crucial opportunity to ask and demand answers to serious questions about the supposed cyber threats used to justify the creation of USCYBERCOM, as well as the mission of that new command, how it will meet these supposed threats and with what consequences. We came nowhere near getting the answers that we needed, nor even beginning to ask the right questions.
In the run-up to Alexander’s confirmation hearing, the “advance questions” document [PDF] submitted by Alexander to the Senate was made publicly available by the Washington Post. But many answers to key questions were only provided in the classified supplement to the unclassified document released by WaPo. This included questions about Alexander’s qualifications to command military operations (p. 3), Alexander’s priorities as commander of USCYBERCOM, the “overarching” mission of USCYBERCOM (p. 8), whether the U.S. could legally “fire back” in response to a cyber attack in which it could not positively identify the attacker(s) (p. 12), whether current policy documents are actually “consistent with current policy” (p. 17), whether the U.S. has a cyber deterrence doctrine and strategy (p. 21), whether or not it is in the United States’ interest to act offensively in cyberspace (p. 21), whether DoD is approved to investigate U.S. citizens suspected of attacks on computers in the “.mil” domain (p.28), whether it is practical to re-design the Internet to promote security and what the impacts would be on privacy (p. 31), and more. And this does not even begin to touch the questions that were answered in such a vague way as to not really answer the question at all–i.e. most questions related to the applicability of the Laws of Armed Conflict.
In short, basic questions about Alexander’s qualifications, the mission of his command, basic U.S. policy and doctrine, the legal authorities of he and his command, and the potential impacts upon our national interests, privacy, and civil liberties all went publicly unanswered.
But one advantage to the leaking of Alexander’s pre-hearing answers is that we had the opportunity to see whether members of the Senate Armed Services Committee would press him to be more forthcoming in publicly addressing such basic and critical questions. They were not. Senator Mark Udall asked perhaps the most serious questions of Alexander. He even noted that “in the advanced questions you were only able to write classified answers to what seem to be some of the fundamental challenges facing Cyber Command” and asked if “there [is] anything you can tell us in this open session to get at some of those basic questions?” Alexander’s answer: “transparency is important.” And then he rambled for a while, saying nothing that addressed Udall’s concerns. Yet there was no follow-up pressing Alexander to acknowledge the importance of transparency by actually being transparent.
This was the tone for the rest of Udall’s questioning, and indeed, for the entire hearing. After pointing out that White House cybersecurity czar Howard Schmidt had “questioned whether…cyber war can exist” and claimed that “‘cyber war is just something that we can’t define’,” Udall asked Alexander whether he thought cyberwar could exist and whether he could define it. Alexander contradicted Schmidt, saying that he thought it could exist, but punted on the second question about definition. He was not pressed to explain his contradiction with the White House, nor to define the phenomenon that will be the central focus of his command. When asked by Senator Joseph Lieberman about the seriousness of the cyber threat and how frequently DoD computers are “under attack” on a daily basis, Alexander trotted out the oft-heard claim that U.S. military networks experience “hundreds of thousands of probes a day.” But in follow-up questioning by Senator Lieberman, Alexander admitted that “probes” are not “attacks.” Yet again, neither Lieberman nor any of the other senators pressed Alexander on his equivocation, nor asked him to answer the original question about “attacks.”
So a key opportunity was missed. Now, much of the important discussion and decision making will be made behind closed doors and under cover of classification. Excessive secrecy is already a problem in cyberwar discourse and the finalization of U.S. Cyber Command with the confirmation of Alexander will likely only make the problem worse. And lest we think that the levers of representative democracy might be used after the fact to punish the politicians who voted in favor of militarizing cyberspace “without public debate, media discussion, serious congressional oversight, academic analysis, or international dialogue” (Clarke, p. x), we should remember that in the kind of voice vote used to confirm Alexander, “The names or numbers of Senators voting on each side are not recorded.” And that is how cyberspace was militarized: With little to no serious public debate, and no one officially on the record to be held accountable for the decision.