RSA Security Conference in San Francisco, CA
LTG Alexander Director, National Security Agency, Chief, Central Security Service
21 April 2009
LTG Keith Alexander: They told me I had to stand on the X first. (Laughter). I'll tell you, it's a privilege and honor to be here. It really is, to talk to all you professionals. But first, let's give that last group a big hand. Let's give them around of applause.
Okay, now honesty and integrity, just to start a few things out. I told my kids I'd get in applause and they're going to probably Google this, so that's the applause that I was going to get and I had to work that in. (Laughter).
I want to hit a few things up front. First, it's an honor and a privilege to be here and I mean that sincerely. You folks are tremendous in what you do. You have a tough job.
We have a lot in common. I have had the privilege and honor to serve as the Director of the National Security Agency for almost four years. We have great people. There are a lot of things that I want to cover today. I want to hit some of the things that are in the press, some of the things that you hear about, give it to you from my perspective. I can't go into classified stuff but I do want to give you what we're doing, where we are, and what I think the future is in cybersecurity, where we need to go.
Let me address that up front because Bruce hit on it. Right up front, we do not want to run cybersecurity for the United States government. That's a big job. It's going to take a team to do it. We have a part in it. We're technical people. We'll have the lead, I think, for the Defense Department and the intel community for critical national security systems, but we need partnership with others. DHS has a big role in it, and perhaps most importantly today we need to talk about your role in it and our allies and academia. How do we work together as a team to solve this problem? It is not A, NSA in charge; and it's not B, DHS in charge. Its one network and we all have to work together on it, so I want to hit that.
Another thing that I want to address up front, there's an awful lot of reports about what NSA does or doesn't do. Let me hit that one up front. I think where we are today, and we've had the privilege of briefing the President on how we collect. The laws that we follow and the rules that we follow are under court order, either the FISA or Executive Order 12333. And yes, we make mistakes. And when we make a mistake we self-report. We report to our overseers. I'm going to talk a little bit about this, and I think it's important that you know that. We tell people what we did, how it happened, what we're going to do to fix it. We tell the DNI, the Director of National Intelligence, the DoD, the DOJ, the Attorney General, Congress, the administration and the New York Times. (Laughter). Okay, the last part we don't do, but you'd think we did. So we have a responsibility to do that.
There's another part in this, though, as you walk through. As you walk through cybersecurity you get the impression that it is civil liberties or security. I think we've got to endeavor to do both. Equally and balance them. We do. For all of us.
So what I'm going to cover today in this briefing, I'm going to walk through some of that and give you some highlights. I'm going to talk a little bit about our history, from where we came; where we are today; talk a little bit about the networks and a little bit about the threat; I'm going to talk about the way forward; I'll briefly mention what Melissa Hathaway and her folks are going to do. She'll be here tomorrow to really add into that a little bit on the Comprehensive National Cyber Initiative.
Let's start with Enigma. The Greatest Generation. It's interesting. They give me a quiz. I come into NSA and I had to get the Diffie-Hellman, the RSA quiz, and so you have to learn all that, how the key exchange works and all this. And on the Enigma they give you a quiz on this. The quiz is, so how many permutations are there? It's three times ten to the 114th power -- that's a big number. And what's the issue for us? Why am I bringing this up? Because in World War II this was a game changer. The Germans were convinced that it was unbreakable. The Poles and the Brits and the United States later broke it. The war in the Atlantic raged over this one communications device.
January to March of 1942 when the German Navy, Admiral Dönitz changed from the three rotor going to a four rotor, he thought that somebody had broken it. He was right. In that period when they changed the four rotor, they sunk 216 vessels off the East Coast of the United States that were taking goods to Europe and the war on our side was going down. Later we'd break the four rotor Enigma and it turned back in our favor. We would end up sinking a number of the U-boats and their supply lines, the ones that they use to refuel, and the war came in our favor.
Now, I bring this up for a couple of reasons. One is that we were able to break their crypto system. We were able to use that to target them. We were able to use that to help win the war.
At the same time we had systems up here -- SIGSALLY, which was the system that allowed us to talk between, or allowed President Roosevelt and Prime Minister Winston Churchill to talk. The first pulse code modulation system. The really neat part about that, think of that as an iPhone, 55 tons. (Laughter). There were only two of them. They're hard to carry around. (Laughter). We don't think that was ever broke. The other one, the SIGABA, one that the Army and Navy partnered on. We don't think that was broke.
So what we had was we had cryptology that secured our communications and we were able to break theirs.
The same thing on the Japanese side with the red and then purple systems. And shown here is BOMBE. We didn't bring that with us. That's also a multi-ton system, but that's one that was built by Allen Turing in Great Britain. Huge. Huge.
So when you think about that, you end World War II. You now get to how did we build NSA and why did we build NSA and what was it? Information assurance. You don't read as much about that in the paper, and over here, foreign intelligence collection, signals intelligence. We brought all that together and our job was discover their secrets and protect ours.
What we need to talk about now as we go into this, so what's changed? What's happening on that?
So we bring all that together. A couple of other things I'd like to mention. I did mention the balancing liberty and privacy. Our freedom, our privacy and our security. How did we do that?
The charter that we got, actually there were a couple of charters. One that brought the Army, Navy, Air Force, the military together into the Armed Forces Security Agency; and then later the charter that developed NSA. Why is that important? We have good people. NSA has great people. Absolutely outstanding. The technical people that we have forms the backbone of securing our systems and breaking theirs. For the good of the nation and for our allies. Absolutely good people. We need to leverage that. That civilian infrastructure is phenomenal. Absolutely phenomenal.
Executive Order 12333 defines how we collect our foreign intelligence mission, and the Foreign Intelligence Surveillance Act explains how we'll do collection within the United States or other targets. I point that out because there's oversight from all bodies on those. By the courts, the administration, DoD, DNI and Congress. On all of that.
Now the issue. During World War II and coming up to today, the networks are pretty much separate. Point to point circuits, analog circuits. Everything was going good. Now what's happened? The digital revolution. We're packetizing. We're going digital. This is huge. It's great. It is. I have four daughters, I have 11 grandchildren. I know I look a lot younger, thank you. (Laughter). The seven year old, they've already got the iPod Shuffle. These kids are digitally connected. What we've built is huge, absolutely huge. We can now put all that on one network. We've put all that on one network. Our government, our private, our industry, our allies -- all on one network. Digitally connected. Tremendous capabilities for the future. This is huge. So what we've done is absolutely superb.
Tremendous vulnerabilities. That's where you come in. How are we going to solve this? How do we protect our civil liberties and privacy, get the bad guys. So I gave the last group, I don't know if they brought it up. I gave them a great idea. I said here's what we can do. Have all the good guys go into this area and all the bad guys we'll put over here, and they have to sign up over here. That will make it a lot easier. And if they would do that, my job would be easier.
So the problem is all the communications are together. We don't have a network that we defend on, a network that we exploit on, and a network that's attacked on, or a network for one and a network for the other. And it's not just the US. It's not just the government, not just industry, it's all of us. All together. That's part of the issue.
So when we look at this evolution, this is wonderful what's going on there. When you look at some of the new tools out there from the Kindall to the iPhone to the Blackberry Storm, the stuff that we can now do, it's huge. And look at how big this has changed. And what's on this network today that we're talking about over here? Everything. America's business and government runs on that network. Everything that we do. All our stuff. Medical records, everything. Our national security's on there, and our allies. So that's the problem.
And if you think about it, these are some of the statistics, and I tried to footnote all these so that you could see. I thought I was writing a thesis here so I did little footnotes. They're really small, but that's how footnotes are. Look at how many e-mails a day on the network in 2008 from the Radicati group -- 210 billion e-mails. Now I've heard it said that NSA is collecting all of those. (Laughter). It may be true. We were going to bring back Russell Crowe, from the movie out there, and teach him to read really fast, and sit him in front of a terminal and let those go by and he'd know everything, about everything. Then he could do math on the side. So there's a lot of e-mail out there.
Look at the amount per second -- two million. Sixty-five to 70 percent of it's spam or other. The number of internet hosts by the year 2015 will exceed the human population. Terrorists, active on over 4,000 of those web sites. And look at the number of attacks that are expected a day on the network. That's something I want to talk about and we'll go into that in a little bit more detail. And other governments operate on that network, as do we.
The threat. This was taken out of a PLA, out of a People's Liberation Army daily thing. You can see, when they were looking at how you go after the United States, only has to mess up the computer systems of the bank. Now I know what you're thinking. They did it. The economic crisis. (Laughter). No, no. This is different. The economic crisis was different.
But people see, other countries see industry and government of the United States as intertwined and it is. That's why the government's here. The government and perhaps from my perspective more importantly, NSA is here for the country. It's not here for NSA, it's to protect the country and our networks from our adversaries.
When you look on that network, look at what's operating on that network. Everybody. When you think about the actors on that network, how do we differentiate the good from the bad? That's really hard. How are we going to do that in the future? That's where our wealth is. That's where the adversaries are. So what we need to do now is look at and discuss in a little bit more detail what are some of the things we need to do to fix some of this?
I do want to take another step, though, because when you start looking at it, we briefly mentioned the last, what are the worst case scenarios that can happen? I don't know the answer to that, but there are some things that you see coming up on the networks like (Confiker) and the black energy bots that we ought to talk about.
So put a point out there. What's one of the first things that's happened that is a game changer, was when one country's networks were attacked by a number of hackers, we'll call it that, that did tremendous damage to that country over a two to three week period. Estonia was one of the most connected nations. It is one of the most connected nations. Tremendous problem. All of a sudden we went from cyber crime to cyber warfare.
So when we talk about the partnerships, one of the things that we have to do is how do we protect the nation in that regard? How do we take those steps forward? What's NSA's role? What's Department of Homeland Security's role? How do we work with industry on this where some of these are very sensitive?
Let's go back to Enigma. A couple of things. When we talk about Enigma we talked about that secret. It is interesting to note a couple of things about it. First, that secret did not come out until 1974 -- 30 years later. It didn't come out for 30 years. We kept that secret. A generation. So no one knew. In fact after World War II, if you go to our museum, we have one of these Enigma at our site here so you can play with it. If you can go through all the permutations, we give you a little cup holder. (Laughter). Yes, that was a joke.
If you think about it, after World War II the Russians came in and grabbed a bunch of the Enigma systems and thought these have got to be good, the Germans made them. So they started using them. (Laughter). What can I say? Life was good. (Laughter). It only lasted a couple of years.
Estonia, then Latvia, then Lithuania, then Georgia. What's next? I don't know the answer to that. These attacks now are out there, are documented. What do we do? What's the role of each of us in solving something like this against our infrastructure?
First, as I said and I think some of the folks before. It's not NSA and the team, because when I say NSA, NSA is actually a part of the Defense Department and the DNI team. In that the Defense Information Systems Agencies, Joint Task Force Global Network Operations is a key part of it. The Network Warfare folks are a key part of it. FBI and other agencies are a key part of it. A team. To protect our critical national security systems. That's one part. That's where we have a role. The National Security Directive 42 puts our role there.
Our team has tremendous technical capabilities and has grown over 60 years. From the group that started Enigma to where we are today, tremendous talent. We built that. We, this nation. We put that together. That's the technical footing, the technical foundation that's NSA. What we need to do now is learn how to use that, and we've been doing that and building that over the last couple of years. And the teaming within the Defense Department, you'll see that continue to grow. How we bring it together. What are the next steps? It is not to take over DHS' roles.
Now I'm going to be completely honest, DHS has a really tough job. They've got to operate and secure the rest of the dot-gov networks. That's hard work. We don't want to do that hard work. We want them to do that hard work. We'll provide them technical support as a foundation that they can lean on, and I think that's the right partnership.
Then the partnership with industry and academia. How do we work together? What is it that we're bringing in that team that we've built with the Defense Department for securing our nation in cyberspace? How do we deal with each of the others? Because in Enigma we had a secret that if it got out would have changed the war. Guess what? We use that same thing to secure our nation and our allies today in the war on terrorism and other things. If we lose that, we put our people at risk and we don't want to do that.
So then how do we secure that? How do we secure that and share it with industry? That's the discussion, the dialogue that we need to have. How are we going to protect our secrets and work with industry, academia and our allies to secure our network together as a team? That's what we've got to learn to do.
We need to share that with DHS as they go down that road. I've actually talked with Secretary Napolitano. She is a wonderful person, a hard job. We're there to support her as a technical group. Happy to do it. Wonderful person. Great capability.
I see you, Mike. So write that back, okay?
Then the question is so what happens in time of crisis? We've got to wargame that. What's our role, how do we support?
But there are some things that are broken. You see today when we look at our networks, when you look at our networks out there you've got a government network A, government network B, and within maybe the services many little networks. And firewalls and networks. And no common visibility. How do you see those? How do you work those together?
So one of the issues is we don't have a way of sharing and seeing the networks today in a timely manner. We've got to build that situational awareness.
How do we see and pass that information at network speed for malicious software or malware? How do we get those signatures out and say heads up to our allies, to industry, to DHS and others? If it is the exploitation arm of the DoD that's found it or the intel community, how do we share that for the good of all? That's a tough one. Because in sharing it you're starting to give out a secret.
I think we need to err and put more into cybersecurity and we're doing that. Work to the defense. Defend the nation.
What are the kinds of things we have to see at network speed? The way it used to be is that you would find out that something penetrated a firewall or one of your systems weren't brought up to date. The anti-virus community is superb. They do a great job. They absolutely do. But there is a gap there. So how do we work together to close that gap to protect our networks with the signatures? How do we do that? What's the relationship between government and those?
And then how do we provide early warning? There's where nations can work together because when you lay out the globe, we're each early warning for others in that globe and there is a way that we can and should work together for the security of those networks. I think that's a huge step forward.
One of the things that Melissa Hathaway and her team has done that's absolutely superb is the outreach, in a 60 day time period with everything that she has to do, a great outreach to industry and to our allies. Absolutely superb. Putting that forward. I know she's supposed to come here tomorrow and talk a little bit about that. Tough job. I think she's made some great leaps. What we need to do -- we, the defense community over here, the intel community -- figure out how we see this in cyberspace in real time and present the capability to provide that early warning to others. One job we have.
The second part, and I've talked about this on the team. Our team. All of us. When you look at that, we're in this team here. NSA's over here. The national security team. Providing the dot-mil, the intel community's networks. That's our job. The rest of the dot-gov, that's Department of Homeland Security's job. We'll provide technical support. Then we have critical infrastructure that we all depend on and we all have to work together with industry on that. DHS lead. We support. Technical support. I see that as our role. And I think that's where you need us.
But I wanted to put on the table, if I can leave one thing, it's got to be a team. It's not A or B. I saw in one of the articles today, who's going to win? Is it going to be this team or this team? We all lose if somebody wins in that regard. If we're not as a team, we lose. We've got to play as a team.
So just a brief discussion of the Comprehensive National Cyber Initiative. This led to what Melissa's doing in the 60 day review. What were the things that we need to do? We need to as a government, what do we need to do to start securing the military networks, our forces in the field, our intelligence networks, and then with DHS what do they have to do to secure the rest of the dot-gov networks? That's where the Comprehensive National Cyber Initiative was and the foundations that did all that and it listed these kinds of things. The indications and warning I gave a quick reference to.
How do we take what we see from our exploitation and pass it to the defense? Recall in Enigma SigSally and SigAba, working those together allowed us to have a better defense and a better offense. One team.
One of the things that has been superb at NSA is watching how they brought those two communities together in the Threat Operation Center for the good of the nation. I see a lot of people saying aren't you doing A or B or C? I don't see that. I see good people trying to do the right thing. And in this, they're trying to bring up what our nation needs on the networks.
So www.nsa.gov -- no, I'm not trying to hire everybody, although this is a good time for hiring from our perspective. We ought to take advantage of that. (Laughter).
Let me just review some of the key things I see out here that we ought to talk about and walk down this road. First, you know the Greatest Generation, World War II, they broke the codes, they made tremendous codes. Absolutely superb. That's our heritage. What they did presents for us, gives us some great insights into what we now need to do.
What they found out is that when they worked together we were better than when the Army and the Navy worked separately, so we pushed them together. Now what we now need to do is this great generation that is coming up with the neatest tools on the internet, absolutely superb. This is absolutely a wonderful time. You look at the kids and all the stuff that we have, absolutely superb. We now need to figure out how we secure that. Not at the risk of civil liberties and privacy, but balancing those for the good of the nation.
I think we need to dispel the rumors. That's not NSA or DHS, it's one team, for the good of the nation. And we're there to support as DHS does its mission, and we're there to do the critical national security systems in our part of the mission and work with industry, academia, DHS and others to do that. A technical bench.
I think when you see that, the great people that we have at NSA, we need to leverage that. We have the world's center of gravity for crypto mathematicians. We ought to leverage that for the good of the nation.
Finally, just to put a cap on it, we have great oversight. We self- report when we make a mistake. We do make mistakes. And if you think about software and the environment that we're working in, these mistakes are something that you probably understand better than anyone. Vulnerabilities in code is a mistake and when those vulnerabilities happen, things happen on the network and we take that as an issue that we then take up to our overseers. We self-report. We fix it. And we tell them what we're doing.
Bottom line, you have a tremendously hard job in securing these networks and for what you do in industry and in government. A real tough job. We're there to work with you as a team.
Thanks for the great work that you do. It has been an honor and a privilege for me to be here today.
Thank you very much, folks.