29 April 2009
RSA Security Conference in San Francisco, CA LTG Keith Alexander: They told me I had to stand on the X first. (Laughter). Ill tell you, its a privilege and honor to be here. It really is, to talk to all you professionals. But first, lets give that last group a big hand. Lets give them around of applause. (Applause). Okay, now honesty and integrity, just to start a few things out. I told my kids Id get in applause and theyre going to probably Google this, so thats the applause that I was going to get and I had to work that in. (Laughter). I want to hit a few things up front. First, its an honor and a privilege to be here and I mean that sincerely. You folks are tremendous in what you do. You have a tough job. We have a lot in common. I have had the privilege and honor to serve as the Director of the National Security Agency for almost four years. We have great people. There are a lot of things that I want to cover today. I want to hit some of the things that are in the press, some of the things that you hear about, give it to you from my perspective. I cant go into classified stuff but I do want to give you what were doing, where we are, and what I think the future is in cybersecurity, where we need to go. Let me address that up front because Bruce hit on it. Right up front, we do not want to run cybersecurity for the United States government. Thats a big job. Its going to take a team to do it. We have a part in it. Were technical people. Well have the lead, I think, for the Defense Department and the intel community for critical national security systems, but we need partnership with others. DHS has a big role in it, and perhaps most importantly today we need to talk about your role in it and our allies and academia. How do we work together as a team to solve this problem? It is not A, NSA in charge; and its not B, DHS in charge. Its one network and we all have to work together on it, so I want to hit that. Another thing that I want to address up front, theres an awful lot of reports about what NSA does or doesnt do. Let me hit that one up front. I think where we are today, and weve had the privilege of briefing the President on how we collect. The laws that we follow and the rules that we follow are under court order, either the FISA or Executive Order 12333. And yes, we make mistakes. And when we make a mistake we self-report. We report to our overseers. Im going to talk a little bit about this, and I think its important that you know that. We tell people what we did, how it happened, what were going to do to fix it. We tell the DNI, the Director of National Intelligence, the DoD, the DOJ, the Attorney General, Congress, the administration and the New York Times. (Laughter). Okay, the last part we dont do, but youd think we did. So we have a responsibility to do that. Theres another part in this, though, as you walk through. As you walk through cybersecurity you get the impression that it is civil liberties or security. I think weve got to endeavor to do both. Equally and balance them. We do. For all of us. So what Im going to cover today in this briefing, Im going to walk through some of that and give you some highlights. Im going to talk a little bit about our history, from where we came; where we are today; talk a little bit about the networks and a little bit about the threat; Im going to talk about the way forward; Ill briefly mention what Melissa Hathaway and her folks are going to do. Shell be here tomorrow to really add into that a little bit on the Comprehensive National Cyber Initiative. Lets start with Enigma. The Greatest Generation. Its interesting. They give me a quiz. I come into NSA and I had to get the Diffie-Hellman, the RSA quiz, and so you have to learn all that, how the key exchange works and all this. And on the Enigma they give you a quiz on this. The quiz is, so how many permutations are there? Its three times ten to the 114th power -- thats a big number. And whats the issue for us? Why am I bringing this up? Because in World War II this was a game changer. The Germans were convinced that it was unbreakable. The Poles and the Brits and the United States later broke it. The war in the Atlantic raged over this one communications device. January to March of 1942 when the German Navy, Admiral Dunnich changed from the three rotor going to a four rotor, he thought that somebody had broken it. He was right. In that period when they changed the four rotor, they sunk 216 vessels off the East Coast of the United States that were taking goods to Europe and the war on our side was going down. Later wed break the four rotor Enigma and it turned back in our favor. We would end up sinking a number of the U-boats and their supply lines, the ones that they use to refuel, and the war came in our favor. Now, I bring this up for a couple of reasons. One is that we were able to break their crypto system. We were able to use that to target them. We were able to use that to help win the war. At the same time we had systems up here -- SIGSALLY, which was the system that allowed us to talk between, or allowed President Roosevelt and Prime Minister Winston Churchill to talk. The first pulse code modulation system. The really neat part about that, think of that as an iPhone, 55 tons. (Laughter). There were only two of them. Theyre hard to carry around. (Laughter). We dont think that was ever broke. The other one, the SIGABA, one that the Army and Navy partnered on. We dont think that was broke. So what we had was we had cryptology that secured our communications and we were able to break theirs. The same thing on the Japanese side with the red and then purple systems. And shown here is BOMBE. We didnt bring that with us. Thats also a multi-ton system, but thats one that was built by Allen Turing in Great Britain. Huge. Huge. So when you think about that, you end World War II. You now get to how did we build NSA and why did we build NSA and what was it? Information assurance. You dont read as much about that in the paper, and over here, foreign intelligence collection, signals intelligence. We brought all that together and our job was discover their secrets and protect ours. What we need to talk about now as we go into this, so whats changed? Whats happening on that? So we bring all that together. A couple of other things Id like to mention. I did mention the balancing liberty and privacy. Our freedom, our privacy and our security. How did we do that? The charter that we got, actually there were a couple of charters. One that brought the Army, Navy, Air Force, the military together into the Armed Forces Security Agency; and then later the charter that developed NSA. Why is that important? We have good people. NSA has great people. Absolutely outstanding. The technical people that we have forms the backbone of securing our systems and breaking theirs. For the good of the nation and for our allies. Absolutely good people. We need to leverage that. That civilian infrastructure is phenomenal. Absolutely phenomenal. Executive Order 12333 defines how we collect our foreign intelligence mission, and the Foreign Intelligence Surveillance Act explains how well do collection within the United States or other targets. I point that out because theres oversight from all bodies on those. By the courts, the administration, DoD, DNI and Congress. On all of that. Now the issue. During World War II and coming up to today, the networks are pretty much separate. Point to point circuits, analog circuits. Everything was going good. Now whats happened? The digital revolution. Were packetizing. Were going digital. This is huge. Its great. It is. I have four daughters, I have 11 grandchildren. I know I look a lot younger, thank you. (Laughter). The seven year old, theyve already got the iPod Shuffle. These kids are digitally connected. What weve built is huge, absolutely huge. We can now put all that on one network. Weve put all that on one network. Our government, our private, our industry, our allies -- all on one network. Digitally connected. Tremendous capabilities for the future. This is huge. So what weve done is absolutely superb. Tremendous vulnerabilities. Thats where you come in. How are we going to solve this? How do we protect our civil liberties and privacy, get the bad guys. So I gave the last group, I dont know if they brought it up. I gave them a great idea. I said heres what we can do. Have all the good guys go into this area and all the bad guys well put over here, and they have to sign up over here. That will make it a lot easier. And if they would do that, my job would be easier. So the problem is all the communications are together. We dont have a network that we defend on, a network that we exploit on, and a network thats attacked on, or a network for one and a network for the other. And its not just the US. Its not just the government, not just industry, its all of us. All together. Thats part of the issue. So when we look at this evolution, this is wonderful whats going on there. When you look at some of the new tools out there from the Kindall to the iPhone to the Blackberry Storm, the stuff that we can now do, its huge. And look at how big this has changed. And whats on this network today that were talking about over here? Everything. Americas business and government runs on that network. Everything that we do. All our stuff. Medical records, everything. Our national securitys on there, and our allies. So thats the problem. And if you think about it, these are some of the statistics, and I tried to footnote all these so that you could see. I thought I was writing a thesis here so I did little footnotes. Theyre really small, but thats how footnotes are. Look at how many e-mails a day on the network in 2008 from the Radicati group -- 210 billion e-mails. Now Ive heard it said that NSA is collecting all of those. (Laughter). It may be true. We were going to bring back Russell Crowe, from the movie out there, and teach him to read really fast, and sit him in front of a terminal and let those go by and hed know everything, about everything. Then he could do math on the side. So theres a lot of e-mail out there. Look at the amount per second -- two million. Sixty-five to 70 percent of its spam or other. The number of internet hosts by the year 2015 will exceed the human population. Terrorists, active on over 4,000 of those web sites. And look at the number of attacks that are expected a day on the network. Thats something I want to talk about and well go into that in a little bit more detail. And other governments operate on that network, as do we. The threat. This was taken out of a PLA, out of a Peoples Liberation Army daily thing. You can see, when they were looking at how you go after the United States, only has to mess up the computer systems of the bank. Now I know what youre thinking. They did it. The economic crisis. (Laughter). No, no. This is different. The economic crisis was different. But people see, other countries see industry and government of the United States as intertwined and it is. Thats why the governments here. The government and perhaps from my perspective more importantly, NSA is here for the country. Its not here for NSA, its to protect the country and our networks from our adversaries. When you look on that network, look at whats operating on that network. Everybody. When you think about the actors on that network, how do we differentiate the good from the bad? Thats really hard. How are we going to do that in the future? Thats where our wealth is. Thats where the adversaries are. So what we need to do now is look at and discuss in a little bit more detail what are some of the things we need to do to fix some of this? I do want to take another step, though, because when you start looking at it, we briefly mentioned the last, what are the worst case scenarios that can happen? I dont know the answer to that, but there are some things that you see coming up on the networks like (Confiker) and the black energy bots that we ought to talk about. So put a point out there. Whats one of the first things thats happened that is a game changer, was when one countrys networks were attacked by a number of hackers, well call it that, that did tremendous damage to that country over a two to three week period. Estonia was one of the most connected nations. It is one of the most connected nations. Tremendous problem. All of a sudden we went from cyber crime to cyber warfare. So when we talk about the partnerships, one of the things that we have to do is how do we protect the nation in that regard? How do we take those steps forward? Whats NSAs role? Whats Department of Homeland Securitys role? How do we work with industry on this where some of these are very sensitive? Lets go back to Enigma. A couple of things. When we talk about Enigma we talked about that secret. It is interesting to note a couple of things about it. First, that secret did not come out until 1974 -- 30 years later. It didnt come out for 30 years. We kept that secret. A generation. So no one knew. In fact after World War II, if you go to our museum, we have one of these Enigma at our site here so you can play with it. If you can go through all the permutations, we give you a little cup holder. (Laughter). Yes, that was a joke. If you think about it, after World War II the Russians came in and grabbed a bunch of the Enigma systems and thought these have got to be good, the Germans made them. So they started using them. (Laughter). What can I say? Life was good. (Laughter). It only lasted a couple of years. Estonia, then Latvia, then Lithuania, then Georgia. Whats next? I dont know the answer to that. These attacks now are out there, are documented. What do we do? Whats the role of each of us in solving something like this against our infrastructure? First, as I said and I think some of the folks before. Its not NSA and the team, because when I say NSA, NSA is actually a part of the Defense Department and the DNI team. In that the Defense Information Systems Agencies, Joint Task Force Global Network Operations is a key part of it. The Network Warfare folks are a key part of it. FBI and other agencies are a key part of it. A team. To protect our critical national security systems. Thats one part. Thats where we have a role. The National Security Directive 42 puts our role there. Our team has tremendous technical capabilities and has grown over 60 years. From the group that started Enigma to where we are today, tremendous talent. We built that. We, this nation. We put that together. Thats the technical footing, the technical foundation thats NSA. What we need to do now is learn how to use that, and weve been doing that and building that over the last couple of years. And the teaming within the Defense Department, youll see that continue to grow. How we bring it together. What are the next steps? It is not to take over DHS roles. Now Im going to be completely honest, DHS has a really tough job. Theyve got to operate and secure the rest of the dot-gov networks. Thats hard work. We dont want to do that hard work. We want them to do that hard work. Well provide them technical support as a foundation that they can lean on, and I think thats the right partnership. Then the partnership with industry and academia. How do we work together? What is it that were bringing in that team that weve built with the Defense Department for securing our nation in cyberspace? How do we deal with each of the others? Because in Enigma we had a secret that if it got out would have changed the war. Guess what? We use that same thing to secure our nation and our allies today in the war on terrorism and other things. If we lose that, we put our people at risk and we dont want to do that. So then how do we secure that? How do we secure that and share it with industry? Thats the discussion, the dialogue that we need to have. How are we going to protect our secrets and work with industry, academia and our allies to secure our network together as a team? Thats what weve got to learn to do. We need to share that with DHS as they go down that road. Ive actually talked with Secretary Napolitano. She is a wonderful person, a hard job. Were there to support her as a technical group. Happy to do it. Wonderful person. Great capability. I see you, Mike. So write that back, okay? Then the question is so what happens in time of crisis? Weve got to wargame that. Whats our role, how do we support? But there are some things that are broken. You see today when we look at our networks, when you look at our networks out there youve got a government network A, government network B, and within maybe the services many little networks. And firewalls and networks. And no common visibility. How do you see those? How do you work those together? So one of the issues is we dont have a way of sharing and seeing the networks today in a timely manner. Weve got to build that situational awareness. How do we see and pass that information at network speed for malicious software or malware? How do we get those signatures out and say heads up to our allies, to industry, to DHS and others? If it is the exploitation arm of the DoD thats found it or the intel community, how do we share that for the good of all? Thats a tough one. Because in sharing it youre starting to give out a secret. I think we need to err and put more into cybersecurity and were doing that. Work to the defense. Defend the nation. What are the kinds of things we have to see at network speed? The way it used to be is that you would find out that something penetrated a firewall or one of your systems werent brought up to date. The anti-virus community is superb. They do a great job. They absolutely do. But there is a gap there. So how do we work together to close that gap to protect our networks with the signatures? How do we do that? Whats the relationship between government and those? And then how do we provide early warning? Theres where nations can work together because when you lay out the globe, were each early warning for others in that globe and there is a way that we can and should work together for the security of those networks. I think thats a huge step forward. One of the things that Melissa Hathaway and her team has done thats absolutely superb is the outreach, in a 60 day time period with everything that she has to do, a great outreach to industry and to our allies. Absolutely superb. Putting that forward. I know shes supposed to come here tomorrow and talk a little bit about that. Tough job. I think shes made some great leaps. What we need to do -- we, the defense community over here, the intel community -- figure out how we see this in cyberspace in real time and present the capability to provide that early warning to others. One job we have. The second part, and Ive talked about this on the team. Our team. All of us. When you look at that, were in this team here. NSAs over here. The national security team. Providing the dot-mil, the intel communitys networks. Thats our job. The rest of the dot-gov, thats Department of Homeland Securitys job. Well provide technical support. Then we have critical infrastructure that we all depend on and we all have to work together with industry on that. DHS lead. We support. Technical support. I see that as our role. And I think thats where you need us. But I wanted to put on the table, if I can leave one thing, its got to be a team. Its not A or B. I saw in one of the articles today, whos going to win? Is it going to be this team or this team? We all lose if somebody wins in that regard. If were not as a team, we lose. Weve got to play as a team. So just a brief discussion of the Comprehensive National Cyber Initiative. This led to what Melissas doing in the 60 day review. What were the things that we need to do? We need to as a government, what do we need to do to start securing the military networks, our forces in the field, our intelligence networks, and then with DHS what do they have to do to secure the rest of the dot-gov networks? Thats where the Comprehensive National Cyber Initiative was and the foundations that did all that and it listed these kinds of things. The indications and warning I gave a quick reference to. How do we take what we see from our exploitation and pass it to the defense? Recall in Enigma SigSally and SigAba, working those together allowed us to have a better defense and a better offense. One team. One of the things that has been superb at NSA is watching how they brought those two communities together in the Threat Operation Center for the good of the nation. I see a lot of people saying arent you doing A or B or C? I dont see that. I see good people trying to do the right thing. And in this, theyre trying to bring up what our nation needs on the networks. So www.nsa.gov -- no, Im not trying to hire everybody, although this is a good time for hiring from our perspective. We ought to take advantage of that. (Laughter). Let me just review some of the key things I see out here that we ought to talk about and walk down this road. First, you know the Greatest Generation, World War II, they broke the codes, they made tremendous codes. Absolutely superb. Thats our heritage. What they did presents for us, gives us some great insights into what we now need to do. What they found out is that when they worked together we were better than when the Army and the Navy worked separately, so we pushed them together. Now what we now need to do is this great generation that is coming up with the neatest tools on the internet, absolutely superb. This is absolutely a wonderful time. You look at the kids and all the stuff that we have, absolutely superb. We now need to figure out how we secure that. Not at the risk of civil liberties and privacy, but balancing those for the good of the nation. I think we need to dispel the rumors. Thats not NSA or DHS, its one team, for the good of the nation. And were there to support as DHS does its mission, and were there to do the critical national security systems in our part of the mission and work with industry, academia, DHS and others to do that. A technical bench. I think when you see that, the great people that we have at NSA, we need to leverage that. We have the worlds center of gravity for crypto mathematicians. We ought to leverage that for the good of the nation. Finally, just to put a cap on it, we have great oversight. We self- report when we make a mistake. We do make mistakes. And if you think about software and the environment that were working in, these mistakes are something that you probably understand better than anyone. Vulnerabilities in code is a mistake and when those vulnerabilities happen, things happen on the network and we take that as an issue that we then take up to our overseers. We self-report. We fix it. And we tell them what were doing. Bottom line, you have a tremendously hard job in securing these networks and for what you do in industry and in government. A real tough job. Were there to work with you as a team. Thanks for the great work that you do. It has been an honor and a privilege for me to be here today. Thank you very much, folks. Historical Document | Date Posted: Apr 23, 2009
|
|