Gen. Keith Alexander is a man who keeps secrets.
Alexander directs the National Security Agency, that oh-so-mysterious group of American military code breakers, eavesdroppers and cyber-sleuths who work out of an ominous-looking headquarters in suburban Baltimore.
Which is why it was a little surprising when Alexander showed up in Omaha last week at a military conference hosted by the Bellevue-based U.S. Strategic Command, took the stage in front of 1,500 military officers and defense contractors, and bluntly suggested that the U.S. military should have the power to attack other countries in cyberspace.
"We can't just defend," Alexander said at StratCom's Cyber and Space Symposium.
With that, he unceremoniously and publicly dumped a nearly decade-old official stance that the United States should focus solely on the defense of the country's military and corporate computer networks.
The U.S. military, he said, must be able to effectively fight back against countries — experts repeatedly point to China and Russia — that have used the Internet to heist enormous amounts of valuable information from U.S. companies and defense contractors.
The military must also have the capability, he said, to counter cyberattacks that could steal military secrets or shut down a part of the U.S. infrastructure, potential volleys in a high-tech war that the United States must be ready to fight.
To illustrate, Alexander told a story about a boxing club he joined as a teenager.
The coach would split the club into two teams. One team would block punches. The other team, the offensive team, would punch the defenders until they were bruised.
"Which team do you want to be on?" Alexander asked.
This year, for the first time, American political and military leaders are openly discussing the specter of an American cyberattack.
These leaders, including Gen. Robert Kehler, the commander of StratCom, are beginning to debate the messy issue of rules of engagement in cyberspace.
How do you determine whether someone has shot at you?
When and how do you shoot back?
They are pouring more money into the development of cyber-offense, funneling hundreds of millions of dollars to the Defense Advanced Research Projects Agency, known as DARPA, which is generally credited with helping to create the Internet.
The Obama administration all but acknowledged last month that it had contemplated a cyberattack to try to knock out Libya's air defense system, making it safer for allied warplanes to bomb Moammar Gadhafi's regime during the first day of the Libyan airstrikes.
The administration and its military advisers eventually decided against the overt cyberattack, in part because they worried about ushering in an age where hackers play a key role in all armed conflicts.
But ask the military leaders and computer experts who crowded into the CenturyLink Center Omaha last week, and many will tell you that this future is unavoidable.
Countries and rogue groups will continue to launch attacks in cyberspace, and they will do so using more advanced and potentially more damaging tactics.
"Anybody who says they know what (the future) looks like is wrong," said Dr. Herbert Lin, the chief scientist on computer science matters at the National Academies, who has published several studies on cyberattacks and cyberdefense. "But I know this: We ain't seen nothing yet."
What the United States has seen, practically since the dawn of the Internet age, is other world powers and tech thieves alike hacking into U.S. corporate and government computer systems.
The computer security company McAfee has estimated the United States loses $1 trillion annually in intellectual property and other proprietary information, taken either by foreign countries or unaffiliated hackers, Alexander said.
In the past few years, Google and two of the country's largest defense contractors — Lockheed Martin and Booz Allen Hamilton — have lost staggering amounts of data and proprietary information to hackers, Alexander said.
"These companies are the gold standard for network security," said the NSA director, who also commands the new U.S. Cyber Command, overseen by StratCom. "If they get hacked, where does that leave the rest of us?"
In fact, a recent survey indicated that nearly six of every 10 American corporations believe that their networks have been hacked into, said retired Lt. Gen. Steven Boutelle, formerly the U.S. Army's chief information officer and now a vice president at Cisco.
The ones that don't think they have been hacked, Boutelle believes, are the companies with the weakest cybersecurity — too weak to realize they have been hacked.
The most likely culprits, particularly in the cyberattacks on defense contractors, are China and Russia, Boutelle said.
"It should not surprise you when some of our adversaries have planes that look like our stealth ones," Boutelle said. "When nations steal terabytes of information . our nation suffers for 20, 30, 40 years."
Many of the speakers at the Omaha conference can envision a far worse fate than a foreign nation or terrorist group stealing U.S. information.
Russian operators used cyberattacks to knock out the banking system in Estonia during a dispute in 2007 and followed with similar aggressive moves in the Republic of Georgia, Azerbaijan and several other former Soviet republics, Alexander said.
Cyber-experts can envision scenarios where American power grids are knocked out, along with military satellites or even the American financial system, in an attack that could weaken the country's infrastructure for days or weeks.
In fact, two U.S. satellites appear to have been interfered with and likely briefly controlled by a foreign entity in 2007 and 2008, according to a congressional report released last week.
The report said the alleged cyberattacks "appear consistent with authoritative Chinese military writings," although StratCom's Kehler said Wednesday that StratCom didn't have sufficient detail to identify the attackers.
"The critical infrastructure of the nation is at risk today," Boutelle said.
Now the U.S. military is starting to fight back, or at least is starting to concede it has been fighting all along.
After all, Stuxnet, the most famous cyberattack, crippled the nuclear program of Iran — no friend of the United States — in 2010.
Stuxnet, a highly sophisticated computer worm, burrowed its way into Iran's nuclear centrifuges and made them spin out of control. Outside experts believe that nearly a fifth of the centrifuges spun themselves to pieces, a disaster that likely slowed by three to five years Iran's effort to enrich uranium and build a bomb.
The chief suspects in this attack, according to experts, were the United States and Israel.
Intelligence leaked since the attack suggests that the United States, along with the German company Siemens, tested the weaknesses of the Iranian centrifuges in Idaho in 2008. The worm itself was then tested at the Dimona complex in Israel, according to Wikileaks and other published reports.
"I'm absolutely convinced that the United States is the leading force behind Stuxnet," said Ralph Langner, the German cybersecurity researcher who first successfully analyzed the Stuxnet code, during a September speech at the Brookings Institution.
In Omaha last week, there was only silence about Stuxnet. American military officials have repeatedly declined to comment on the computer worm.
But there was much talk about the need to publicly grapple with the technological and political issues that surround any potential U.S. cyberattack.
On the first day of the conference, the Pentagon released an updated cyberwarfare policy that said the military could and would launch an offensive cyber-operation if ordered to do so by the president.
But when, based on the military's standing rules of engagement, is it permissible to cyberattack a foreign country? And when, under the doctrine of proportional response, is a cyberattack the correct move?
"StratCom, if there's a nuclear event, they know what they need to do," said Madelyn Creedon, an assistant secretary of defense. "Cybercommand is searching for that."
The conference speakers and panelists seemingly agreed that not much is yet known about how and why to use cyberattacks.
Andrew Krepinevich, a defense policy analyst and the director of the Center for Strategic and Budgetary Assessments, compared the knowledge about cyberweapons to what was known about nuclear weapons in 1948 or 1949.
They also seemed to agree on this: Building up cyberdefenses alone won't prevent foreign hackers from successfully messing with the United States in cyberspace.
Given time, a hacker always beats a well-defended computer network, Lin said.
Several suggested that the only way for the United States to deter cyberattacks was for the U.S. itself to attack.
"We really just don't know how to do good cyberdefense," Lin said in an interview after the conference. "The only thing left, really, is offense. I'd like to be wrong about that, but I don't think I am."
Contact the writer: