The Pentagon’s top cyberwarrior says that the risks the U.S. faces are growing faster than the country’s progress in creating the offensive and defensive tools and rules of engagement to defend cyberspace.

“Our work and actions are affected by threats well outside the Defense Department’s networks,” U.S. Army Gen. Keith Alexander, chief of U.S. Cyber Command, told the House Armed Services Committee on March 20. “What concerns us is the shift from disruptive to destructive attacks. Attacks that can destroy equipment are on the horizon.”

There is a laundry list of strategic concerns, he declares. Cyberspace is becoming more dangerous, and theoretical threats have become real threats that are being deployed by some governments against rival states. Moreover, cybercrime is changing as sophisticated criminals shift from the “botnet” approach to stealthier, targeted theft of sensitive data they can sell.

“We’ve seen digital certificate issuers hit and a penetration of the internal network that stored RSA authentication certifications,” Alexander says. “That has led to at least one defense contractor being victimized by counterfeit credentials. [On a larger scale,] several nations have turned their cyber-resources and power against us and foreign businesses that manage critical infrastructure in this country.”

He named several critical tasks that need acceleration: development of a cyber-force for the future and a defensible cyber-architecture, obtaining the correct legal authorities to operate, improving teamwork among government agencies and creating a concept for operating in cyberspace.

Without such improvements, there is increasing danger to the defense industrial base and the nation’s critical infrastructure, says Madelyn Creedon, assistant secretary of defense for global strategic affairs.

“We’ve seen loss of significant intellectual property and sensitive defense information that resides on or transits defense industrial base systems,” she says.

Creedon points to an ongoing review of the existing rules of engagement for cyber-operations and notes a combined effort with the Joint Staff. The goal is to create a transitional command-and-control model to enforce the rules as part of a “whole-of-government approach to cybersecurity.”

In addition, “we’re looking to roll out a process that we call ‘continuous monitoring’ to give us more capability to [monitor] the network rather than using periodic checks,” says Teresa Takai, the Defense Department’s chief information officer.

Congress could aid cyber-operations by supporting information-sharing among agencies, which would provide the ability to see an attack, Alexander says, and the establishment of rules of engagement that have all the right legal authorities.

“The question is, what authorities will be given and what are the conditions under which they can be exercised,” Alexander says. “I’m confident that in a month or two some of that will actually go through.”

The Pentagon is looking at a dual path to cloud architecture that officials think will lead to more secure cyberspace. One element is standardized platforms and protection that will be put together in stages.

“We will look at what each service provides with their own clouds and then at an enterprise cloud to provide services such as identity management and email that we use across the department to share information,” Takai says. “We are not looking at just protection of the cloud’s perimeter. We’re looking at mechanisms that provide protection at the information level. We’re focusing on identity management so we know who is in the cloud while linking that to what information the individual has access to.”