On June 3, we heard the first public presentation by the newly-confirmed commander of U.S. Cyber Command (USCYBERCOM), General Keith Alexander. Unfortunately, his presentation only added to the ongoing ambiguity surrounding the existence and scale of the supposed cyber threat facing the United States in general, and the Department of Defense (DoD) in particular. The contradictions between this and previous statements of the threat, both by Alexander and others, combined with continued confusion over the definition of key terms, points once again for the need to more clearly articulate the cyber threat if we are to develop appropriate policy responses.
During his confirmation hearing on May 7, when asked by Senator Joseph Lieberman about the seriousness of the cyber threat and how frequently DoD computers are “under attack” on a daily basis, then Lt. Gen. Alexander, the prospective head of USCYBERCOM, answered that U.S. military networks experience “hundreds of thousands of probes a day.” But in follow-up questioning by Senator Lieberman, Alexander admitted that “probes” are not “attacks.” Neither Lieberman nor any of the other senators pressed Alexander on his equivocation, nor asked him to answer the original question about “attacks,” which one would presume are more serious than mere “probes.”
On June 3, however, in a presentation to the Center for Strategic and International Studies, the now-confirmed and sworn-in commander of USCYBERCOM claimed that “DOD systems are probed by unauthorized users approximately 250,000 times an hour, over 6 million times a day” (p. 6 of transcript). This not only contradicts what he said in his confirmation hearing less than one month ago, but it also contradicts what a number of other DoD and government officials have said about the number of “probes” and/or “attacks” experienced by DoD or other government agencies on a daily basis.
Here are some examples:
- In November 2009, in remarks at the Defense Technology Acquisition Summit, Deputy Secretary of Defense William J. Lynn III claimed that “our defense networks are already under attack. They are probed thousands of times each day; they are scanned millions of times each day, and the frequency and the sophistication of those attacks are increasing exponentially.” This suggests that there is a difference between a “probe” and a “scan,” and that both count as incidents of “attack.” Of course, Alexander suggested in his testimony that “probes” and “attacks” are not the same.
- On 11 April 2010, the Seattle Post Intelligencer reported that “When asked how often the federal government’s computers get targeted or probed each day, defense specialist Rep. Adam Smith, D-Wash., curtly responds: ‘North of a million times’… [and that] the Pentagon’s computers are targeted at least 5,000 times every 24 hours.” Of course, this is a much lower estimate than any provided by Alexander thus far. Though, again, in this case we don’t exactly know what Adams means by “targeted.”
- On 20 April 2010 at the RSA Conference, CNET News reported that “Robert Lentz, chief information assurance officer for the Department of Defense, said the agency is attempting to protect 15,000 networks, 7 million computers, and 1.1 billion Defense Department Internet users worldwide. There are 360 million probes targeted at Defense Department networks each day, compared to the 1 million probes an average major U.S. bank gets per month.” This number dwarfs even the newer, higher number of 6 million “probes” identified by Alexander on June 3.
- By comparison, on 5 March 2010, Politico reported that “Congress and other government agencies are under a cyber attack an average of 1.8 billion times a month, a number that has been growing exponentially since President Barack Obama took office. […] The Senate Security Operations Center alone receives 13.9 million of those attempts per day.” Can it really be the case that the U.S. Senate experiences more than twice as many “attacks” as DoD each day?
As we move forward, for Americans to feel confident that their tax dollars are being spent 1) to solve a problem that actually exists and 2) that those responsible for addressing that problem are competent to do so, more clarity is needed both in defining key terms and then explaining the scale of the supposed threat. First and foremost, better and clearer definitions are needed. Some questions raised by the statements above include: What’s a probe? What’s a scan? How do they differ? Are they all attacks, as Lynn suggests? Or are probes and attacks different, as Gen. Alexander suggested in his confirmation testimony? Second, how serious is each type of incident? Is a probe more serious than a scan, etc.? Finally, once properly defined, those whose job it is to explain the threat to politicians and citizens should be precise in their use of these terms. Only then can we have a meaningful discussion about the scale of the problem, in which we will want to answer questions like, How many of each type of event are we seeing on a daily basis?
Demanding answers to these questions, demanding greater clarity from those who seek to identify and address national security threats with taxpayer dollars, does not result in not taking the supposed threat seriously. Just the opposite is the case. We are not taking the threat seriously if we do not answer basic questions about it and if we do not take the time to speak clearly and precisely when articulating it.