February 26, 2021
Former NSA and Cyber Command Chief Keith Alexander on SolarWinds, Cyberwar, and China
When General Keith Alexander was nominated in 2010 to serve as the first head of U.S. Cyber Command, he wrote senators a 32-page note that included responses to questions and a warning that the country’s digital combat capabilities were being hampered by outdated legal controls.
There was a “mismatch between our technical capabilities to conduct operations and the governing laws and policies,” Gen. Alexander wrote, according to a report at the time by The New York Times.
Gen. Alexander had a unique viewpoint into these issues, having served as director of the National Security Agency since 2005. And when he was subsequently confirmed as the Commander of USCYBERCOM—starting a “dual hat” arrangement that exists to this day—Gen. Alexander would transform the way the military handled both its offensive and defensive capabilities in cyberspace.
Gen. Alexander announced his retirement from the military in 2013, and went on to found the cybersecurity company IronNet. He talked to The Record about SolarWinds, China, and the importance of information sharing. The conversation below has been lightly edited.
The Record: There’s been talk in the last few months about ending the “dual hat” arrangement between NSA and Cyber Command. Do you think the responsibilities of the two agencies have become too complex for a single director?
Gen. Keith Alexander: I disagree—I don’t think it’s too complex. In fact, when you think about it, you want to centralize command and control of the network and not fragment it. I would look at how we can coalesce everything we do in cyberspace—in peacetime, transition to war, and wartime—so that the country can be adequately defended. In both U.S. Cyber Command and NSA, you have all the tools needed from the Defense Department’s perspective to help protect our country when it’s under attack, especially from a foreign power that could have something that’s really destructive or wants to come after us because negotiations in a certain area go down. From my perspective, if you start to fragment that, the great technical base at NSA now moves elsewhere and you force Cyber Command to build their own capabilities, which costs twice as much and takes years longer—this took 60 plus years to build, with the best computers, best mathematicians, best network people in the world. There’s no real logical reason to separate them.
People say, “This is an intel agency.” Well, this is cyberspace. We don’t start breaking out pieces of the airforce or army. There’s a good reason for that. You need that command and control. In fact, we took it a step further by creating the unified commands, and it’s in that light that I would look at Cyber Command—as a unified command with SOCOM-like authorities that can actually help bring together what our nation needs to defend this country when we’re under attack. As you look at some of the problems our country faces, especially with SolarWinds-like attacks, those things show that this can be a very difficult area for our country and these types of attacks are going to grow.
We need that single point of focus to hold accountable for that defense. You’re going to hold the Secretary of Defense accountable, so if you separate these two, is the Secretary of Defense now responsible for making them work together and adjudicate? Even worse, are you going to separate them and put one under DNI and therefore the White House has to adjudicate? In both cases, that would be crazy. So I’m an advocate for keeping them together. Secretary Gates and I talked about this for a long time—how do you grow Cyber Command to where it needs to be for our country. We saw what you need for the Defense Department, what you need for the intelligence community, what you need for DHS, and what you really want to do is figure out how you can make those work together for the nation. We were very close to having the DHS act as almost a deputy—so you’d have a deputy for NSA, a deputy for Cyber Command, and a deputy for DHS—that actually brings the nation’s capabilities together so the nation can be defended. The best person in the world to articulate that would be somebody like Secretary Gates. We had great discussions about it, and actually had talks with Secretary Chertoff and Nopalitano on doing something just like that.
When you think about it, you want to centralize command and control of the network and not fragment it. I would look at how we can coalesce everything we do in cyberspace—in peacetime, transition to war, and wartime—so that the country can be adequately defended.”
TR: I’m interested in you bringing up SolarWinds—how does it compare to other incidents you witnessed while in government?
KA: It’s clearly a wake-up call in a number of areas, which we’ve talked about over the last several years. Nation states and those criminal actors that have nation state-like tools can bypass your security protocols and get into networks and do things that are undetected by your legacy systems. In the SolarWinds case, I think Russia, the SVR, probably underestimated the number of infections they would actually get. I think their target was the federal government. It’s interesting—this is my own supposition, I have no classified information—but as I was looking at what was going on, I go back to 2017 with NotPetya and remember GRU did that, the military equivalent of SVR. And when they did that I think it got out of hand there. I think their intent was to target the government of Ukraine and hammer them. When they went after the tax MeDoc software it got out and hit Maersk, Merck, FedEx, and cost tens of billions of dollars in collateral damage. From their perspective, they said, “Ok, we made our point.” It hurt some companies in Russia, but that was acceptable collateral damage.
Now, look at SolarWinds. I think their intent was what is the U.S. doing with indictments against Russian actors, what’s the U.S. position on these actors, what’s the Commerce Department doing, what’s Treasury doing, what’s Justice doing, what’s State doing. I think that was their target, and IT capabilities to get into there. I think they were focusing on their target set and saw SolarWinds as a way of getting in, so they were focused down, and when they put that in and let that go, I believe they didn’t want 18,000 companies. “Oops. But oh, look at what we could do if we needed to.” The oops was now you had to weed out the 17,800 to find the 200 that you need. That’s a lot of work and should have thought about it—and they will in the future.
When you think about this, look at their end objective and how they went after it. Think about all these others and what if you wanted to create a bigger problem? What if SolarWinds had been destructive? What if they were going after the government but hit 18,000 companies? You’re talking about trillions of dollars in damages. It would be a great value to understand who those 18,000 companies are and figure out that if they suffered the same damage as when Maersk and FedEx got hit, what would that have done to those companies and to our economy. It’s huge. It’s a wake-up call and we need to put that front-and-center because that’s a vulnerability.
The second part with that is every one of those companies today defends themselves. They share information but they look only at their information. I’m all about collective defense and how do we get these companies to work together. If you had 18,000 people working together, you would have known about this well in advance. And we need to do that. In order to do that, you need to see those types of events, and we didn’t see that with behavioral analytics. So now you see that going back, behavioral analytics are tough, they have false positives, and machine learning and AI can assist us in drawing it down. But so can collective defense in sharing this information in an anonymous way—it allows you and the government to see what’s going on and improve the defense of our nation and our allies. I think that’s going to be part of our future, and this is one of the most important things for our country and allies. The private sector is the objective of our foreign adversaries.
China will tell you it’s not stealing your stuff, and then goes and steals your stuff… This is the biggest transfer of wealth in history, and it’s going right out the front door.”
If you look up The Art of War, you have to hit the military to get to the country. In cyberspace, they don’t have to do that—we have to think about how we protect our nation’s future, which is our economy. Our government, our military, our intelligence community all exist because of our economy. You destroy that and you have a problem, and those that wish us harm can do that. I’m really worried about that piece and worried that people aren’t taking it seriously enough, saying it can’t happen to us. It’s like 9/11—it happened to us, and it forced us to overreact. We have to get this right now. We know it’s a problem.
TR: You mentioned SVR. The government made it clear they believe it’s Russia, and some anonymous sources have said they believe it’s SVR. Why do you think it’s SVR?
KA: I haven’t talked to the government on it, but I’m talking to others in the community. People don’t want to point to SVR but it’s going to be one of three—FSB, GRU, or SVR. I think FireEye came out with an assessment early on that it was SVR and then walked back on it. I think their gut was right.
TR: It sounds like you think defense should be a first priority, but I’m curious about what you think is the adequate response?
KA: That’s a great question. I’ve been asked several times why don’t we go and whack them back. Let’s say that this is like Leo Getz from the movies—we go into a bar and see this big biker gang and they push us and we want to push them back. We better think twice about it, because they have better opportunities than we do. In cyberspace, our infrastructure has more vulnerabilities and we have more of our country’s economy in the network than any other country. We have more to lose, so step one, before you consider any offensive, overt action, recognize there will be a response, you won’t like it, and you won’t be ready for it. Before you even think about that, get your defense set. If you’re going to do something, let diplomats in the covert area do it quietly, so they get the message and that’s probably good enough. If you turn it into a fight, where there is potential for escalation and potential disclosures of capabilities and tactics, and it gets into the press, we won’t like the outcome. I guarantee you that it’s not just SolarWinds—there are other exploits into the infrastructure that we don’t know about.
If people understood just the economic loss just of IP theft, then you add in ransomware, then you add in all the impacts on systems we have, you’re talking about trillions of dollars. We’re not ready for that. As a nation we need to say how do we fix this, how do we get our allies to work with us in this area. This is the big issue of today and the next couple decades. In the physical space we’re separated by two huge oceans and we have a missile defense system, so we’re protected. In cyber, it doesn’t exist. We have to go fix that.
TR: What are the big impediments to info sharing and collective defense?
KA: We need more sharing of threat-related data in real time among the private sector and with the government. This will help the government see where the attacks are coming from and the offense can do something about it while we defend locally. In a collective defense model, that sharing can be done anonymously and can be correlated with what other organizations are seeing, within a secure ecosystem. In case of the SolarWinds attack, we detected the DNS command and control going out, and when the next company got hit with it a few days later, it got automatically correlated—it wasn’t by a human, it was by machine—and when another hit and another hit, it all got correlated. We have the ability to detect these behaviors and share them anonymously. The problem we face is that there are some people who still don’t trust this data sharing with the government and will extrapolate it to mean their phone calls and emails are being monitored… even when they know that’s not right. We have to help the country understand the safety and benefits of this information sharing, and remove the political rhetoric from the conversation.
We need more sharing of threat-related data in real time among the private sector and with the government. This will help the government see where the attacks are coming from and the offense can do something about it while we defend locally.”
There are two ways that can happen: We get out in front of the data sharing issue and help explain it and prove its ability to deliver better defense, or we get hit with a destructive attack that hurts our country significantly. We have a choice, and my thought is let’s do it right from the beginning. Bring in the ACLU, work with the EU on GDPR, and show them how you can do threat sharing at speed and let’s fix this. The alternative is that we talk about it and say it’s hard and something bad happens and we say, “Damn, I wish we had done something.”
TR: The NSA has made a couple changes in the last few years with how they handle cybersecurity—they’ve made a push to be more transparent and in at least one case shared a vulnerability with a company instead of keeping quiet and using it for their own intelligence needs. What do you think about this approach and where do you see it going during the Biden administration?
KA: The government is here for the good of the nation, and the economy is our nation. So step one, I think working with the private sector is a good thing to do and we should continue to do that. I’ll tell you that General Paul Nakasone, Anne Neuberger, Rob Joyce, and everyone there are exceptional—they’re good people and they’re not here to spy on us, they’re here to find out what the threats are and to protect us. I think we’ve got to understand what their mission is and help that public-private partnership evolve so we can help the country.
TR: I wanted to ask you about China—threat groups linked to the country have been a serious issue for at least the last two administrations and it doesn’t seem to be getting much better. Where would you assess it right now, and where do you think it’s going?
KA: Our intent should be to make it a really good working relationship. We have to first put the issues on the table and make sure everyone clearly understands them. Say we want to be friends, but they’re stealing our intellectual property, our technology, and their business practices are different from ours. We have a couple things we should look at. Our economy is run based on how we generate a tax base. 3G and 4G was a trillion-dollar-plus tax base. There are several economic competitions going on—machine learning and AI, quantum computing, 5G, nuclear power, and biotech especially with covid, just to name five. When you think about those, now our country’s commercial sector goes and competes on its own, China steals data from those and the Chinese commercial sector and government work together to win. Huawei is supported by the Chinese government, so when they go into Europe, it’s sell it down, get a footprint, and take it over. I think we have to look at how to address the theft of intellectual property and how we ensure there’s a level playing field for our commercial sector to compete in this area. Having our commercial sector compete against China’s commercial sector and the Chinese government isn’t a fair way of doing it. Going forward, this makes the diplomatic part more difficult, and it’s where a guy like Henry Kissinger would be amazing to talk to. I’ve talked to him on China. We need to figure out what’s the way we’re going to work this, and it’s very difficult.
Part one is to fix our defense—it’s just laying out there. The commercial sector is trying its best to fight against a government and all its resources. That’s not a fair fight. Building the public private partnership in cyberspace balances that, and we have to go and fix it. Nations act in their best interest. China will tell you it’s not stealing your stuff, and then goes and steals your stuff. So you have to tell them not to do it, but also protect your stuff. It can’t be just trusting them—it’s trust but verify. Look at what’s going on in the COVID-19 arena alone and the theft of intellectual property. It’s huge. Think about machine learning and AI and all the stuff going on in our universities. This is the biggest transfer of wealth in history, and it’s going right out the front door.