BALTIMORE — The commander of the U.S. Cyber Command said Thursday that he does not favor giving the United Nations the power to regulate the Internet.
Some regulations are needed to protect critical networks that control electrical power, banking, transportation and other key elements of society, Army Gen. Keith Alexander, who is also director of the National Security Agency, said after a speech to a security conference.
But asked whether the U.N. should have a regulation role, Gen. Alexander said: “No. I’m not for regulating, per se. I’m concerned about it, and this is a tough question. I would say, generally speaking, I’m not into that portion of regulating as you would espouse.”
Last month, Russia, China, Uzbekistan and Tajikistan submitted a resolution to the U.N. General Assembly calling for giving individual states the right to control the Internet. The resolution, submitted Sept. 14, calls for “an international code of conduct for information security.”
It requests “international deliberations within the United Nations framework on such an international code, with the aim of achieving the earliest possible consensus on international norms and rules guiding the behavior of states in the information space.”
China tightly controls the Internet through a cybersecurity police force estimated to be more than 10,000 people who monitor Internet users and websites.
Russia’s authoritarian government has taken steps in recent years to curb Internet freedoms. Uzbekistan and Tajikistan also are authoritarian regimes that seek to control Internet use.
Gen. Alexander said that, rather than seeking U.N. regulation, individual countries “first need to step up and say, ‘Look, how do we do this without regulating it?’ “
The four-star general suggested bolstering Internet security by using “cloud” technology, which uses remote computer servers for applications and data storage. Other new technologies that permit greater visibility of cyberthreats on networks also can be used to improve security, he said.
“I do think that there may be some things for critical infrastructure and government networks that we’re going to have to direct out to the government,” Gen. Alexander said. “These are things that you must do to secure your networks for government survivability.”
Additionally, security cooperation between nations can be improved, he said.
“But for my grandchildren and my daughters out there, they have a great time on the network,” he said. “I would not want somebody to say you cannot let your 2-year-old grab the iPad and launch [an application].”
As for future considerations, Gen. Alexander said U.S. policymakers are discussing whether U.S. firms should be required to divulge information about cyber-attacks.
Additionally, he said: “I think down the road we have to figure out how do we ensure that your platforms do not create a public hazard, but I’m not sure I would put that in regulation.”
In a speech to the Information Systems Security Association conference, Gen. Alexander said U.S. development of the Internet brought tremendous benefits and “tremendous vulnerabilities” that can be exploited by hackers, criminals and nation states.
U.S. corporations were victims of cyber-attacks, including Google, Lockheed Martin and Booz Allen Hamilton, and some have lost valuable intellectual property through cybertheft and espionage.
The threat is increasing as the use of mobile devices such as smartphones and tablet computers increases.
“Here’s what concerns me: What we’re seeing is destructive [digital] payloads coming out, payloads that can make a blue screen of death, that can stop your operating system, your router or peripheral devices,” Gen. Alexander said.
Mobile devices increase the problem by “orders of magnitude” because of the lack of security built up over the past decade for desktop devices, he said.
Both are connected to networks, “and the issues we are going to see are huge,” Gen. Alexander said.
Shawn Henry, FBI executive assistant director for cyber-issues and a conference speaker, said a better network architecture is needed to identify cybercriminals who can operate anonymously.
Mr. Henry also called for better “assurance” for Internet communications to prevent someone from breaking into links that control key infrastructure. For example, computer communications between a technician remotely directing an electrical facility need better security, he said.
“The Internet was developed with protocols allowing for anonymity and there are legitimate reasons for wanting it that way,” Mr. Henry said. “But for those critical uses of the Internet where intrusion is entirely unacceptable and we must be able to identify the users, market-driven factors may prompt the private sector to explore solutions and alternate architectures to meet those needs.”
“We need a more secure architecture that allows for absolute attribution,” he said. “Threats are continuing to increase and we cannot constantly play defense.”