There were more questions than answers on Capitol Hill Thursday as the first general assigned to defend America's computer networks from foreign attacks told senators that both the battlefield and the rules of engagement are largely undefined.
In a 32-page statement to the Senate Armed Services Committee in advance of his confirmation hearing, Lt. Gen. Keith Alexander, head of the National Security Agency, said there is a "mismatch between our technical capabilities to conduct operations and the governing laws and policies," according to The New York Times.
Alexander also wrote that he is prepared to strike back at foreign government institutions linked to cyberattacks on the U.S., but could also strike against private institutions, like banks, that are used to prop up a hostile government.
At the hearing Alexander said the Pentagon's systems are attacked hundreds of thousands of times every day by individuals and foreign states. When the committee chairman, Sen. Carl Levin (D-Mich.) presented different scenarios that would require action, Alexander cited "the real complexity of the problem that we face today, because there are many issues out there on the table that we can extend, many of which are not yet fully answered."
The senators asserted that the cyberwarfare command should work closely with the Department of Homeland Security when it operates on American soil, the Times reported.
The role of a military agency operating both domestically and abroad has raised concerns from Internet privacy activists and civil-liberties groups who fear that Americans will be spied upon.
Alexander acknowledged that "civil liberties, privacy all come into that equation ... while you try to, on the same network, potentially take care of bad actors."
It remains to be seen if the newly created cybercommand would defend not just military computers but corporations such as Google and Intel, which have seen their systems infiltrated by hackers linked to China.
Alan Paller, director of research at the SANS cybersecurity institute, said it is crucial for the U.S. to safeguard its private sector.
"American companies are getting hit very hard," Paller said. "We have seen just the tip of the iceberg with Google and 200 other companies. When those guys get hit they look for help, and because they are being hit by the same attackers who are hitting the military, they are searching for people who know how the attacks are done. If they are to be protected at all, it can only be done by people who understand the attacker, and that's the NSA."
In his written testimony, Alexander said his command would be capable of not just defense but offensive operations against cyber enemies, saying "we must be prepared to 'fight through' in the worst-case scenario."
But Paller said the ability to launch a counteroffensive is limited because hackers generally hijack third-party computers to do their dirty work. "If you attack back, you don't have the bad guys, you have a new victim," said Paller. "The only way to deal with it is to build better defenses."
In 2004, the National Commission on Terrorist Attacks Upon the United States, known as the 9/11 Commission, recommended the creation of the Privacy and Civil Liberties Oversight Board. Three years later, because of concerns that the board would be controlled by the White House, the board was designated an independent agency coordinated by the president.
But President Barack Obama has yet to appoint any members to the board.
Jules Polonetsky, cofounder and director of the Future of Privacy Forum, said filling those positions would enable the government to address concerns raised by the cybercommand.
"The continued lack of clarity over the balance between our ability to use military-level tools to defend ourselves and rules of privacy show the urgency of appointing the Privacy and Civil Liberties Oversight Board," said Polonetsky. The board, he added, "would play a key role in assuring Americans that we are defending both people, property and our civil liberties."