Q&A: Lieutenant General Keith B. Alexander

Written by Harrison Donnelly

Alexander’s previous assignments include the deputy chief of staff, Headquarters, Department of the Army; commanding general of the Army Intelligence and Security Command; director of intelligence, U.S. Central Command; and deputy director for requirements, capabilities, assessments and doctrine, J-2, for the Joint Chiefs of Staff. He has also served in a variety of command assignments in Germany and the United States, including tours as commander of Border Field Office, 511th MI Battalion, 66th MI Group; 336th Army Security Agency Company, 525th MI Group; 204th MI Battalion; and 525th MI Brigade.

Additionally, Alexander held key staff assignments as deputy director and operations officer, Army Intelligence Master Plan, for the deputy chief of staff for intelligence; S-3 and executive officer, 522nd MI Battalion, 2nd Armored Division; G-2 for the 1st Armored Division both in Germany and Operation Desert Shield/Desert Storm in Saudi Arabia.

Alexander holds a Bachelor of Science from the U.S. Military Academy and a Master of Science in business administration from Boston University. He holds a Master of Science in systems technology (electronic warfare) and a Master of Science in physics from the Naval Post Graduate School, as well as a Master of Science in national security strategy from the National Defense University.

Alexander was interviewed by MIT Editor Harrison Donnelly.

Q: You recently said, “We do not want to run cybersecurity for the United States government.” By contrast, how would you describe what NSA does want to do in this area?

A: Achieving the goal of cybersecurity will require the collective efforts of many across the government and private sector. NSA has a distinctive but necessary role in national cybersecurity and is pleased to be on that team and in a position to make a unique contribution. The natural evolution of our work in communications intelligence has given us a deep perspective in understanding digital communications and the dangers therein. That’s important to remember when considering NSA’s role. Cybersecurity is about securing information, and we have been one of the government’s primary agents for securing our national security information systems since our inception.

The secretary of defense is the government’s executive agent for the defense of U.S. national security systems, and I am his national manager charged with carrying out these responsibilities. NSA’s primary role in cybersecurity is to help protect national security information assets, which essentially are classified government and military communications. Also within the 000 structure are the critical contributions of STRATCOM component commands—the Joint Functional Component Command for Network Warfare [JFCC-NW] and Joint Task Force Global Network Operations [JTF-GNO]. As commander, JFCC-NW, I exercise operational control of JTF-GNO in order to plan, coordinate and conduct offensive and defensive cyberspace operations.

The Department of Homeland Security [DHS] has a similar charge to defend U.S. government unclassified systems and partner with private industry. FBI, CIA, Treasury and others also have key roles in cybersecurity, and the private sector is responsible for protecting the systems it operates. All of these networks of government—classified, unclassified and private sector—are not only interconnected but are often the same networks. So the nation’s approach to cybersecurity must be synchronized.

The bottom line is this: NSA’s role is to continue our defensive work as well as to contribute to the work of other responsible parties by offering our expertise to assist them in their part of the cybersecurity effort.

Q: How would you characterize the overall cyberthreat environment, as it applies to the United States in general, the federal government and the military?

A: Simply stated, it’s real. This is no contrived or overstated alarm. In just a very short time, cyber-based devices and tools have been incorporated into our work and personal lives in ways most of us barely imagined 20 years ago. They are widely available, relatively inexpensive to acquire, portable, easy to use and extremely popular. But convenience and security seldom go hand in hand, and in some cases convenience adds to the vulnerability if users aren’t mindful of potential risks, thereby taking appropriate steps to protect information and information systems of every kind.

We’re all aware of the growing epidemic of identity theft. That’s just one aspect of the overall cyberthreat to the nation. The tactics used to steal someone’s identity for criminal profit are much the same as those for stealing state secrets, sensitive information or government records. And, in many cases, it’s the same type of person or group doing it—organized criminal elements, for instance.

But, as damaging as information theft is, we also face the added danger of data manipulation. This is how our infrastructure, including energy, transportation and utilities, could be most affected.

Almost two years ago, Estonia was hit by a highly coordinated, well-supported, Russian-based cyber-attack. The entire Estonian cyber-infrastructure was brought to a standstill. Terrorists are using the Internet to study emergency telephone systems, electrical generation and transmission, water and storage distribution, nuclear power plants and gas facilities. Specifically, aI Qaida is known to frequent Internet sites that offer software and programming instructions for digital switches that run our power, water, transportation and communications grids.

Another threat facing us is denial of service, which is to say the shutting down of communications. Think about how much of our daily activities are “digitized.” Just in the drive to work, many of us are on cell phones, use GPS navigators, depend on computerized traffic signals, and listen to HD radio. Every day purchases are made or recorded across the information grid. Add to all of this social networking and a growing use—almost dependency—on wireless communications.

Now, put these circumstances together. The military has done a remarkable job of leveraging new technology in order to revolutionize the way it communicates. But this technology also brings new risks. Soldiers in the field carry cell phones and PDAs. Communications from military installations and hostile zones are always at risk of interception by adversaries, but personal devices are now added into the mix. Inadvertent disclosures of sensitive information can have devastating consequences.

Q: In your address at the RSA Conference 2009, you emphasized the importance of teamwork in information security.  How are you working to strengthen teaming within DoD and the intelligence community?

A: It’s not so much about what I’m doing, as it is what the various government agencies are doing. The severity and immediacy of the global cyberthreat is bringing forces together much as the Axis threat did in World War II. Every government entity with a stake in protecting our government information security has stepped up and is working to help each other as needed, as well as bolstering their own respective work forces.

Although the cybersecurity business is still relatively new, some of NSA’s business areas, like Red and Blue Teaming, are fairly mature. We make a tremendous effort to team with the entire community. We host events to share lessons learned, set up ways to share tools, share our training and methods, and develop standards so that data can be integrated.

I’ll also re-emphasize the collaborative work of JFCC-NW, JTF-GNO, the Defense Information Systems Agency [DISA] and NSA/CSS. This is a formidable group that leverages a range of skills, accesses and experiences under the STRATCOM mission to ensure U.S. freedom of action in cyberspace. It’s working, and it will continue to improve.

Q: What new forms of information technology do you see as creating the most significant vulnerabilities for the military and intelligence communities?

A: As I mentioned, cell phones and PDAs, while not new technologies, have become an integral part of our communications environment, but they also make us vulnerable in new ways. Thumb drives with multi-gigabyte capacity are cheap and easily available. GPS units can also be exploited. While none of these devices are unique to the military or government, new and creative methods to exploit them are constantly being developed. Essentially, if it’s digital and online, it should be considered vulnerable.

Q: As they go about their daily business, what would you most like for people in DoD and the intelligence community to do or be more aware of in order to help improve information security?

A: I’d like people to be aware of the impact that every individual has on security of the entire enterprise and their resulting responsibility. In a world where everyone is connected, we say that a risk assumed by one, even unknowingly, is a risk shared by all. Communications security or information assurance is as much individual responsibility as it is technology. Go back to my reference to identity theft. What information would you not want others to see? It’s not always “after the fact” security that needs to be observed. By that I mean there is more than shredding sensitive papers or cutting up old credit cards. Information assurance must be practiced on the go. As useful and necessary as it is, don’t depend on technology as the sole means of securing data. Commonsense caution combined with encryption, firewalls, passwords and other technical means is how we will improve our security.

Q: What can be done to improve network situational awareness and to pass information about malicious software or malware at network speed?

A: As is often the case, education is the first line of defense. NSA has a long history as a leader in operational and communications security, so those sensitivities are ingrained in our operations. Still, malware and spyware developers are very clever, and their tradecraft has become less expensive and easier to practice. They also have a target-rich environment in that they can reach out and “touch” any and every aspect of modern society with a few keyboard strokes and a good connection to the Internet.

Everyone—individuals, companies and governments—needs to understand that and appreciate the potential damages. For our part, those of us with network security responsibilities need to work harder to be in front of these malicious developments as much as possible. Once malware is introduced, for the victims it’s too late.

But this is yet another example of the advantage we have with the resident expertise and resources of intelligence, military and homeland security assets. We’ll discover—as a collective— and share with and learn from industry and academia. I don’t know that we can eliminate malware, but I’m confident that this coalition will cut into its proliferation and severely diminish its effectiveness.

Q: What do you see as the most effective approaches for increasing cooperation with industry and academia?

A: Everyone in the private sector needs to understand that neither NSA nor the U.S. government has the responsibility for directly securing private sector information and networks. That responsibility lies with those who built and maintain those systems. And when considering that we all rely heavily on commercially built networks, we realize that if the telecommunications industry is not part of the security strategy, then nothing anyone else does will matter.

The academic community is equally critical, as it is from that population we are getting not only excellently trained network specialists, but also some very good research as well. We also hope that part of the educational development is training on information management ethics.

NSA is very involved in helping government, industry and academia set open standards for security. For example, we support the National Institute of Standards and Technology [NIST] in evaluating candidates for the new Cryptographic Hash standard, we’ve developed a new Cryptographic Interoperability Standard that we call “Suite B” to help drive the commercial industry, and we play a major role with partners like NIST, DISA and numerous commercial partners to define standards for automated configuration management and patching.

The interconnection of government, industry and academia is happening. There is quite a bit of interaction among the three, and we’re sharing ideas, techniques and, occasionally, resources in a true team approach. I think that relationship will only get stronger.

Q: How do you view the future for network defense?

A: The bad guys only have to find one way in to be successful, while the cyberdefender has to protect against all avenues of approach. Currently, cybersecurity is essentially looking for things in the network we know how to recognize and reporting about them after the fact. So, when an incident occurs, the logical question then is, “Why didn’t you do something about it?”

To prevent disease, doctors must study victims of it and, from that study, determine courses of action to be taken to inoculate the population from future outbreaks. We have to carefully and quickly study cyber-incidents and determine what vulnerabilities exist, how they were exploited and what can be done to prevent future attacks.

NSA today provides guidance that is making it harder for the cyber-adversary to be successful, and we provide our guidance to other government agencies, including DHS and others that work with the commercial sector to help promote protection. Simply put, we want to perform fewer autopsies and practice more prevention. With the superb cooperation we’re already seeing among the government, academic and commercial sectors, I believe defense of all information networks will improve exponentially each year. I doubt we’ll ever be 100 percent secure, but with continued cooperation and aggressive education for the public, I do believe there will be fewer incidents of mass consequence. If nothing else, adversaries will have to work a lot harder and longer and expend many more resources for fewer results. ♦

Back to Top