Former NSA Director General Keith B. Alexander discusses Modern Cyber Threats
Retired four-star general Keith B. Alexander knows a lot about cyber security; He served as Director of the National Security Agency (NSA), Chief of the Central Security Service, and Commander of the United States Cyber Command during his time in the military. Now he serves as founder and CEO of IronNet Cybersecurity.
The depth of his experience gives him a solid foundation on which to speak about the challenges posed by cyber threats in a modern world. He started by talking about the changes that happened between 2005 and 2008 at the NSA. “They’re not listening to your phone calls and reading your emails,” he said, dispelling a notion that has persisted since then.
Continuing his look back at that time period, he noted that in 2006 he went to Iraq, where his friend David Patraeus had arrived to assess the situation there. “Casualties were mounting, and I wanted to find out what kind of intelligence would help them,” General Alexander said. “They told me ‘human intelligence,’ which stunned me. There needed to be a change in how we handled information.”
The problem, General Alexander said, is that information was being sent from Iraq to Washington, DC, where it was processed and turned around in a report in 16 hours, which he observed was considered a good way of handling intelligence. “But if you need to know if a bad guy is on a street corner, of course he didn’t stand there for 16 hours,” he said.
He continued: “We quickly created a system to fix that. We went from 28 people in Iraq to 6,000 there and in Afghanistan. We had to rewire Iraq to help our soldiers live through that situation. We deployed that new system in January 2007 and it helped us take down 3,950 bad guys that year. It changed the story.”
Integrating intel with combat operations
But General Alexander had more to do. He said: “I also had to convince [fellow military retiree] Stanley McChrystal to work with us. We asked him, ‘Who are your top 10 bad guys and do you want to know where they are?’ He told us and we showed him exactly where they were. He was stunned.
“We had to have intel integrated with combat operations. I bring that story up because these were people I knew who were being put in harm’s way and needed to be brought back home safely.”
General Alexander continued: “It was a fascinating time to be at the NSA. When looking at how data was collected, I found out that when I showed up, they had cancelled the major collection system. Secretary Rumsfeld told me that we had to figure out where to go.”
He noted that since the iPhone debuted in 2007, not only was it a major game changer for the NSA and for people in the e-signature space, but it changed how people create and distribute information too.
“Last year,” General Alexander said, “8 zetabytes (an 8 with 21 zeroes after it) of data was created, which is more than the last 5,000 years combined. Next year, it will happen in less than a year. And the following year, it will be faster. And so forth. That means half of what kids in college learn as freshmen is obsolete within two years. A lot of jobs, such as ones involving the iPhone, didn’t exist 10 years ago.”
He continued: “I used to be asked by members of Congress, ‘Should we outlaw the Internet?’ How do you answer such a stupid question in a respectful way and let them know they shouldn’t say so in public?”
More computational capacity than the human race
General Alexander noted that while the Internet has had its drawbacks, it has also allowed technology to develop at a breathtaking pace. “Watson has beaten the best humans at Jeopardy,” he said. “And there’s a prediction that by 2049, one computer will have more computational capacity than the entire human race.
“When you talk to the people at IBM about Watson, they note that winning Jeopardy isn’t a core competency. So they looked at something else and focused on cancer. For example, if you’re diagnosed with brain cancer, they give you about 14 months. One decision during that 14 months could take 30 days, with all the analysis that has to happen. IBM’s people, though, changed that to a nine-minute decision.”
He noted: “We will solve cancer, ALS, Parkinson’s, MLS, and other diseases because of the information we’re getting. We can’t slow down.”
Cyber attacks intensify
General Alexander then continued his march through history. “In 2007,” he recalled, “there was the attack against Estonia by Russian hackers. They were knocked offline, and they’re a very integrated society. In 2008, Russian forces attack Georgia and hackers attack that country too. In August and in October 2008, NSA found some sensitive Defense Department information in a foreign network where it shouldn’t have been.
“NSA had to be invited into the Department of Defense (DoD), so we knocked on their door and ended up working with them to figure out what was going on. They said on a Friday afternoon that they found 1,500 pieces of malicious software on the DoD classified network. I called higher-ups and told them what happened. Then I turned to the people I was working with and said, ‘We need to solve this.’
“We came up with a system and I wanted to know if it was going to be ready by Saturday mid-afternoon. It was up and running the next day. It solved the problem, and no one else in the world could have done it.”
He continued: “During that same time period, we were also dealing with a hostage, Jessica Buchanan, who was taken by Somali pirates. We had learned through some intel sources that she was sick and would likely die in captivity. The State Department said she needed to be rescued right away, and the NSA helped find her in hostile territory so she could be rescued.”
He added: “Circle back to the cyber stuff. I got along really well with Secretary Gates. I gave him some worst case scenarios. I assumed I would retire in 2008 but they extended me. That’s when Gates decided to build cyber command and put me in charge.
“The way they had the computer network set up, they couldn’t see it. Essentially, we were fighting in the dark while the bad guys had night vision goggles. I had become a four-star general and told them I needed 6,000 people to help with that effort, so we could see what the bad guys are doing. All of them are working at cyber command today.
“In 2012, you had Saudi Aramco, with destructive attacks that destroyed over 30,000 systems. It was launched by Iran. From 2012 to April 2013, attacks were launched on Wall Street too, along with attacks by North Korea against South Korea. Many others were getting hacked too: Sony, Target, and so forth.
NSA and the ACLU: strange bedfellows
General Alexander continued: “Then Snowden popped up. I was in Berlin, Germany when I first heard about him. That was in the summer of 2013. In August 2013, the White House called me. I went to the White House about once a week during my time with the NSA, because it collects about 70% of the nation’s intel.
“I knew that August 2013 meeting was going to be for a Presidential panel that could tell the American people what we were doing and why we were doing it. They said the President has already made a decision and gave me some files that referenced the ACLU, which was suing the government. The President decided the programs should be reviewed with the ACLU.
“A new team came to the NSA, along with someone from the ACLU. I told him that the people running those programs would go over them with him over the next five weeks. Five weeks later, the guy from the ACLU approached and vigorously shook my hand. He told me we had the greatest integrity of any agency in the government.
“He admitted to have started the process as someone skeptical of the NSA but came to understand how much the organization did to combat terrorism with integrity. It turned out to be a good thing to have him on the committee, which helped the NSA’s image with the President.
“The guy from the ACLU contacted me when the programs were up for review and he said he wanted to help write an op-ed in support of their renewal. I wrote an op-ed with him. I asked him why he was doing it and he said it was the right thing for our country. Our country needs people to work together for the good of the nation, without their biases.”
Government and industry need to work together
General Alexander then returned to the bigger picture of cyber security: “The rest of the cyber security story: We have industry, especially on the West coast, that doesn’t want to work with government. I revisited the preamble to the Constitution, which mentions our common defense — working together.
“Government can’t defend industry without partnership and industry can’t defend themselves without government. The reality is that we will be attacked and tested in cyber space.
“What do we need to do? If you look at the financial sector, it needs to create a program where information is shared, so if the bad guys are trying to break in, they can ask for help right away.
“Let’s look at Sony as a case. Who should have defended Sony? The government and Sony should have worked together, but they didn’t. If Sony were to fight back against North Korea on their own and North Korea launched an attack on South Korea, it would mean that a private company could be responsible for a war.
“Speed is of the essence in any industry. E-signatures is about speed, efficiency, and going paperless. When it comes to these hacks, I think we’ll see increased regulation in these areas until we meet certain standards. I would prefer not to have more regulations, but we need a way for everyone to work together.
“Look at the JP Morgan hack: When they were hacked, the attackers scanned 7 or 8 banks and found a crack at JP Morgan. Imagine that the banks that were probed said that that was happening. If we could do that at network speed and knew that JP Morgan was being infiltrated, we could deal with that right away.
“We can protect civil liberties and privacy and defend this country, as my partnership with the ACLU proved.”
The floor was then opened for questions.
Q: “What action items are necessary to get where you want to be on sharing information to protect against attacks?”
A: “The legislation has been passed that allows for government and industry to work together. The rhetoric has to change too. We didn’t handle the Snowden stuff as well as we should have at the government level. We have to figure out how to bring industry and government back together. The easiest is the financial sector, which is most at risk and would benefit the most.
“We have to do a couple things. We have to have companies that will work together on attacks they’re seeing and do so at network speed. The government should tell industry when they see attacks coming from bad guys. Then we take that to our allies and extend that to them when appropriate.
“We have to get the government set right. There was a story here. I went to the Secretary of Defense and they said I was supposed to defend the nation’s DoD networks. So I went to Leon Panetta and told him a story. I said we have missiles coming into Denver, and we know they aren’t going to hit a military installation, so do we let them go?
“Same thing in cyber security: We see an attack coming into the financial sector and let it go, if no DoD assets are under attack. That’s not how it should work. We created a chart that explained how the departments should work when defending the nation’s computer networks.”
Q: “You mentioned some of the national standards you’d like to see in place. Should that be one standard across the board or customized by industry?”
A: “I see a standard because we want to be able to say that a company meets the standards and can then talk to the government. If the company is attacked and they meet the standards, they’re free from liability because the government is tasked with helping defend against that attack. Don’t make it so over-regulated that it’s impossible to meet the standard.
“My experience on the operational side: We were 100% successful. If a nation state comes after your bank, you have a problem, but the government should defend them. That’s part of the common defense.”
Q: “With the desire to have the benefits of the collaboration between industry and government, how do you avoid a bureaucracy that slows down information sharing?”
A: “We need standards there too. If we could replay the Sony attack, we could have shut down gateways and other things to protect Sony. That’s what the government should and can be. Our country is protected by two oceans, so we need to be better at protecting ourselves from cyber attacks.”
Q: “The idea of a network being protected is breaking down because of the Internet of Things, and groups of hackers are also breaking down because they can attack from multiple places at once. How do we deal with that?”
A: “There was a recent attack that illustrated that example. Most likely it was criminal activity, but what if it was a demonstration that was being used to set up an even bigger attack?
“Now we have all these things connecting to the Internet. That creates a problem. The defensive architecture that we create can solve that. It’s doable.
“One of the things in looking at where we’re going is that we need to solve these security issues. All of you have the ability to help push some of this from your industry perspective. You want the government to help protect your network. How much revenue would be lost if we lost communication for 7 days?”
Q: “You mentioned that the government’s job is to defend us against external threats. How do we include citizens in the discussion of giving away a little privacy in exchange for that protection? There’s already distrust happening among people regarding that.”
A: “It has to be transparent to the extent that it can be. We can be almost completely transparent in this space. We have to figure out everyone’s roles and how that helps the American people and our allies.
“The NSA isn’t listening to everyone’s phone calls and reading their emails. They don’t have enough people to do that, and it would be illegal anyway. If you have someone from the ACLU saying the NSA had integrity and the media didn’t cover it, and everyone I talk to has never heard of it, that’s because it wasn’t a sensationalized story. We have to give the American people the facts without sensationalizing them. We have to solve these problems together. I served in the military for so long because I wanted to help our country.”