RSA Security Conference in San Francisco
Laws And Rules We Follow Are
Under Court Order
RSA Security Conference in San
Francisco, California, LTG Keith Alexander, Director, National Security
Agency, Chief, Central Security Service. 21 April 2009.
Source : NSA.
LTG Keith Alexander: They told
me I had to stand on the X first. (Laughter). I'll tell you, it's a privilege
and honor to be here. It really is, to talk to all you professionals. But first,
let's give that last group a big hand. Let's give them around of applause.
Okay, now honesty and integrity, just to start a few things out. I told my kids
I'd get in applause and they're going to probably Google this, so that's the
applause that I was going to get and I had to work that in. (Laughter).
I want to hit a few things up front. First, it's an honor and a privilege to be
here and I mean that sincerely. You folks are tremendous in what you do. You
have a tough job.
We have a lot in common. I have had the privilege and honor to serve as the
Director of the National Security Agency for almost four years. We have great
people. There are a lot of things that I want to cover today. I want to hit some
of the things that are in the press, some of the things that you hear about,
give it to you from my perspective. I can't go into classified stuff but I do
want to give you what we're doing, where we are, and what I think the future is
in cybersecurity, where we need to go.
Let me address that up front because Bruce hit on it. Right up front, we do not
want to run cybersecurity for the United States government. That's a big job.
It's going to take a team to do it. We have a part in it. We're technical
people. We'll have the lead, I think, for the Defense Department and the intel
community for critical national security systems, but we need partnership with
others. DHS has a big role in it, and perhaps most importantly today we need to
talk about your role in it and our allies and academia. How do we work together
as a team to solve this problem? It is not A, NSA in charge; and it's not B, DHS
in charge. Its one network and we all have to work together on it, so I want to
Another thing that I want to address up front, there's an awful lot of reports
about what NSA does or doesn't do. Let me hit that one up front. I think where
we are today, and we've had the privilege of briefing the President on how we
collect. The laws that we follow and the rules that we
follow are under court order, either the FISA or Executive Order 12333.
And yes, we make mistakes. And when we make a mistake we self-report. We report
to our overseers. I'm going to talk a little bit about this, and I think it's
important that you know that. We tell people what we did, how it happened, what
we're going to do to fix it. We tell the DNI, the Director of National
Intelligence, the DoD, the DOJ, the Attorney General, Congress, the
administration and the New York Times. (Laughter). Okay, the last part we don't
do, but you'd think we did. So we have a responsibility to do that.
There's another part in this, though, as you walk through. As you walk through
cybersecurity you get the impression that it is civil liberties or security. I
think we've got to endeavor to do both. Equally and balance them. We do. For all
So what I'm going to cover today in this briefing, I'm going to walk through
some of that and give you some highlights. I'm going to talk a little bit about
our history, from where we came; where we are today; talk a little bit about the
networks and a little bit about the threat; I'm going to talk about the way
forward; I'll briefly mention what Melissa Hathaway and her folks are going to
do. She'll be here tomorrow to really add into that a little bit on the
Comprehensive National Cyber Initiative.
Let's start with Enigma
The Greatest Generation. It's interesting. They give me a
quiz. I come into NSA and I had to get the Diffie-Hellman, the RSA quiz, and so
you have to learn all that, how the key exchange works and all this. And on the
Enigma they give you a quiz on this. The quiz is, so how many permutations are
there? It's three times ten to the 114th power -- that's a big number. And
what's the issue for us? Why am I bringing this up? Because in World War II this
was a game changer. The Germans were convinced that it was unbreakable. The
Poles and the Brits and the United States later broke it. The war in the
Atlantic raged over this one communications device.
January to March of 1942 when the German Navy, Admiral Dönitz changed from the
three rotor going to a four rotor, he thought that somebody had broken it. He
was right. In that period when they changed the four rotor, they sunk 216
vessels off the East Coast of the United States that were taking goods to Europe
and the war on our side was going down. Later we'd break the four rotor Enigma
and it turned back in our favor. We would end up sinking a number of the U-boats
and their supply lines, the ones that they use to refuel, and the war came in
Now, I bring this up for a couple of reasons. One is that we were able to break
their crypto system. We were able to use that to target them. We were able to
use that to help win the war.
At the same time we had systems up here -- SIGSALLY, which was the system that
allowed us to talk between, or allowed President Roosevelt and Prime Minister
Winston Churchill to talk. The first pulse code modulation system. The really
neat part about that, think of that as an iPhone, 55 tons. (Laughter). There
were only two of them. They're hard to carry around. (Laughter). We don't think
that was ever broke. The other one, the SIGABA, one that the Army and Navy
partnered on. We don't think that was broke.
So what we had was we had cryptology that secured our communications and we were
able to break theirs.
The same thing on the Japanese side with the red and then purple systems. And
shown here is BOMBE. We didn't bring that with us. That's also a multi-ton
system, but that's one that was built by Allen Turing in Great Britain. Huge.
So when you think about that, you end World War II. You now get to how did we
build NSA and why did we build NSA and what was it? Information assurance. You
don't read as much about that in the paper, and over here, foreign intelligence
collection, signals intelligence. We brought all that together and our job was
discover their secrets and protect ours.
What we need to talk about now as we go into this, so what's changed? What's
happening on that?
So we bring all that together. A couple of other things I'd like to mention. I
did mention the balancing liberty and privacy. Our freedom, our privacy and our
security. How did we do that?
The charter that we got, actually there were a couple of charters. One that
brought the Army, Navy, Air Force, the military together into the Armed Forces
Security Agency; and then later the charter that developed NSA. Why is that
important? We have good people. NSA has great people. Absolutely outstanding.
The technical people that we have forms the backbone of securing our systems and
breaking theirs. For the good of the nation and for our allies. Absolutely good
people. We need to leverage that. That civilian infrastructure is phenomenal.
Executive Order 12333 defines how we collect our foreign intelligence mission,
and the Foreign Intelligence Surveillance Act explains how we'll do collection
within the United States or other targets. I point that out because there's
oversight from all bodies on those. By the courts, the administration, DoD, DNI
and Congress. On all of that.
Now the issue. During World War II and coming up to today, the networks are
pretty much separate. Point to point circuits, analog circuits. Everything was
going good. Now what's happened? The digital revolution. We're packetizing.
We're going digital. This is huge. It's great. It is. I have four daughters, I
have 11 grandchildren. I know I look a lot younger, thank you. (Laughter). The
seven year old, they've already got the iPod Shuffle. These kids are digitally
connected. What we've built is huge, absolutely huge. We can now put all that on
one network. We've put all that on one network. Our government, our private, our
industry, our allies -- all on one network. Digitally connected. Tremendous
capabilities for the future. This is huge. So what we've done is absolutely
That's where you come in. How are we going to solve this? How
do we protect our civil liberties and privacy, get the bad guys. So I gave the
last group, I don't know if they brought it up. I gave them a great idea. I said
here's what we can do. Have all the good guys go into this area and all the bad
guys we'll put over here, and they have to sign up over here. That will make it
a lot easier. And if they would do that, my job would be easier.
So the problem is all the communications are together. We don't have a network
that we defend on, a network that we exploit on, and a network that's attacked
on, or a network for one and a network for the other. And it's not just the US.
It's not just the government, not just industry, it's all of us. All together.
That's part of the issue.
So when we look at this evolution, this is wonderful what's going on there. When
you look at some of the new tools out there from the Kindall to the iPhone to
the Blackberry Storm, the stuff that we can now do, it's huge. And look at how
big this has changed. And what's on this network today that we're talking about
over here? Everything. America's business and government runs on that network.
Everything that we do. All our stuff. Medical records, everything. Our national
security's on there, and our allies. So that's the problem.
And if you think about it, these are some of the statistics, and I tried to
footnote all these so that you could see. I thought I was writing a thesis here
so I did little footnotes. They're really small, but that's how footnotes are.
Look at how many e-mails a day on the network in 2008 from the Radicati group --
210 billion e-mails. Now I've heard it said that NSA is collecting all of those.
(Laughter). It may be true. We were going to bring back Russell Crowe, from the
movie out there, and teach him to read really fast, and sit him in front of a
terminal and let those go by and he'd know everything, about everything. Then he
could do math on the side. So there's a lot of e-mail out there.
Look at the amount per second -- two million. Sixty-five to 70 percent of it's
spam or other. The number of internet hosts by the year 2015 will exceed the
human population. Terrorists, active on over 4,000 of those web sites. And look
at the number of attacks that are expected a day on the network. That's
something I want to talk about and we'll go into that in a little bit more
detail. And other governments operate on that network, as do we.
This was taken out of a PLA, out of a People's Liberation
Army daily thing. You can see, when they were looking at how you go after the
United States, only has to mess up the computer systems of the bank. Now I know
what you're thinking. They did it. The economic crisis. (Laughter). No, no. This
is different. The economic crisis was different.
But people see, other countries see industry and government of the United States
as intertwined and it is. That's why the government's here. The government and
perhaps from my perspective more importantly, NSA is here for the country. It's
not here for NSA, it's to protect the country and our networks from our
When you look on that network, look at what's operating on that network.
Everybody. When you think about the actors on that network, how do we
differentiate the good from the bad? That's really hard. How are we going to do
that in the future? That's where our wealth is. That's where the adversaries
are. So what we need to do now is look at and discuss in a little bit more
detail what are some of the things we need to do to fix some of this?
I do want to take another step, though, because when you start looking at it, we
briefly mentioned the last, what are the worst case scenarios that can happen? I
don't know the answer to that, but there are some things that you see coming up
on the networks like (Confiker) and the black energy bots that we ought to talk
So put a point out there. What's one of the first things that's happened that is
a game changer, was when one country's networks were attacked by a number of
hackers, we'll call it that, that did tremendous damage to that country over a
two to three week period. Estonia was one of the most connected nations. It is
one of the most connected nations. Tremendous problem. All of a sudden we went
from cyber crime to cyber warfare.
So when we talk about the partnerships, one of the things that we have to do is
how do we protect the nation in that regard? How do we take those steps forward?
What's NSA's role? What's Department of Homeland Security's role? How do we work
with industry on this where some of these are very sensitive?
Let's go back to Enigma. A couple of things. When we talk about Enigma we talked
about that secret. It is interesting to note a couple of things about it. First,
that secret did not come out until 1974 -- 30 years later. It didn't come out
for 30 years. We kept that secret. A generation. So no one knew. In fact after
World War II, if you go to our museum, we have one of these Enigma at our site
here so you can play with it. If you can go through all the permutations, we
give you a little cup holder. (Laughter). Yes, that was a joke.
If you think about it, after World War II the Russians came in and grabbed a
bunch of the Enigma systems and thought these have got to be good, the Germans
made them. So they started using them. (Laughter). What can I say? Life was good.
(Laughter). It only lasted a couple of years.
Estonia, then Latvia, then Lithuania, then Georgia. What's next? I don't know
the answer to that. These attacks now are out there, are documented. What do we
do? What's the role of each of us in solving something like this against our
First, as I said and I think some of the folks before. It's not NSA and the
team, because when I say NSA, NSA is actually a part of the Defense Department
and the DNI team. In that the Defense Information Systems Agencies, Joint Task
Force Global Network Operations is a key part of it. The Network Warfare folks
are a key part of it. FBI and other agencies are a key part of it. A team. To
protect our critical national security systems. That's one part. That's where we
have a role. The National Security Directive 42 puts our role there.
Our team has tremendous technical capabilities and has grown over 60 years. From
the group that started Enigma to where we are today, tremendous talent. We built
that. We, this nation. We put that together. That's the technical footing, the
technical foundation that's NSA. What we need to do now is learn how to use that,
and we've been doing that and building that over the last couple of years. And
the teaming within the Defense Department, you'll see that continue to grow. How
we bring it together. What are the next steps? It is not to take over DHS' roles.
Now I'm going to be completely honest, DHS has a really tough job. They've got
to operate and secure the rest of the dot-gov networks. That's hard work. We
don't want to do that hard work. We want them to do that hard work. We'll
provide them technical support as a foundation that they can lean on, and I
think that's the right partnership.
Then the partnership with industry and academia. How do we work together? What
is it that we're bringing in that team that we've built with the Defense
Department for securing our nation in cyberspace? How do we deal with each of
the others? Because in Enigma we had a secret that if it got out would have
changed the war. Guess what? We use that same thing to secure our nation and our
allies today in the war on terrorism and other things. If we lose that, we put
our people at risk and we don't want to do that.
So then how do we secure that? How do we secure that and share it with industry?
That's the discussion, the dialogue that we need to have. How are we going to
protect our secrets and work with industry, academia and our allies to secure
our network together as a team? That's what we've got to learn to do.
We need to share that with DHS as they go down that road. I've actually talked
with Secretary Napolitano. She is a wonderful person, a hard job. We're there to
support her as a technical group. Happy to do it. Wonderful person. Great
I see you, Mike. So write that back, okay?
Then the question is so what happens in time of crisis? We've got to wargame
that. What's our role, how do we support?
But there are some things that are broken. You see today when we look at our
networks, when you look at our networks out there you've got a government
network A, government network B, and within maybe the services many little
networks. And firewalls and networks. And no common visibility. How do you see
those? How do you work those together?
So one of the issues is we don't have a way of sharing and seeing the networks
today in a timely manner. We've got to build that situational awareness.
How do we see and pass that information at network speed for malicious software
or malware? How do we get those signatures out and say heads up to our allies,
to industry, to DHS and others? If it is the exploitation arm of the DoD that's
found it or the intel community, how do we share that for the good of all?
That's a tough one. Because in sharing it you're starting to give out a secret.
I think we need to err and put more into cybersecurity and we're doing that.
Work to the defense. Defend the nation.
What are the kinds of things we have to see at network speed? The way it used to
be is that you would find out that something penetrated a firewall or one of
your systems weren't brought up to date. The anti-virus community is superb.
They do a great job. They absolutely do. But there is a gap there. So how do we
work together to close that gap to protect our networks with the signatures? How
do we do that? What's the relationship between government and those?
And then how do we provide early warning? There's where nations can work
together because when you lay out the globe, we're each early warning for others
in that globe and there is a way that we can and should work together for the
security of those networks. I think that's a huge step forward.
One of the things that Melissa Hathaway and her team has done that's absolutely
superb is the outreach, in a 60 day time period with everything that she has to
do, a great outreach to industry and to our allies. Absolutely superb. Putting
that forward. I know she's supposed to come here tomorrow and talk a little bit
about that. Tough job. I think she's made some great leaps. What we need to do
-- we, the defense community over here, the intel community -- figure out how we
see this in cyberspace in real time and present the capability to provide that
early warning to others. One job we have.
The second part, and I've talked about this on the team. Our team. All of us.
When you look at that, we're in this team here. NSA's over here. The national
security team. Providing the dot-mil, the intel community's networks. That's our
job. The rest of the dot-gov, that's Department of Homeland Security's job.
We'll provide technical support. Then we have critical infrastructure that we
all depend on and we all have to work together with industry on that. DHS lead.
We support. Technical support. I see that as our role. And I think that's where
you need us.
But I wanted to put on the table, if I can leave one thing, it's got to be a
team. It's not A or B. I saw in one of the articles today, who's going to win?
Is it going to be this team or this team? We all lose if somebody wins in that
regard. If we're not as a team, we lose. We've got to play as a team.
So just a brief discussion of the Comprehensive National Cyber Initiative. This
led to what Melissa's doing in the 60 day review. What were the things that we
need to do? We need to as a government, what do we need to do to start securing
the military networks, our forces in the field, our intelligence networks, and
then with DHS what do they have to do to secure the rest of the dot-gov
networks? That's where the Comprehensive National Cyber Initiative was and the
foundations that did all that and it listed these kinds of things. The
indications and warning I gave a quick reference to.
How do we take what we see from our exploitation and pass it to the defense?
Recall in Enigma SigSally and SigAba, working those together allowed us to have
a better defense and a better offense. One team.
One of the things that has been superb at NSA is watching how they brought those
two communities together in the Threat Operation Center for the good of the
nation. I see a lot of people saying aren't you doing A or B or C? I don't see
that. I see good people trying to do the right thing. And in this, they're
trying to bring up what our nation needs on the networks.
So www.nsa.gov -- no, I'm not trying to hire everybody, although this is a good
time for hiring from our perspective. We ought to take advantage of that. (Laughter).
Let me just review some of the key things I see out here that we ought to talk
about and walk down this road. First, you know the Greatest Generation, World
War II, they broke the codes, they made tremendous codes. Absolutely superb.
That's our heritage. What they did presents for us, gives us some great insights
into what we now need to do.
What they found out is that when they worked together we were better than when
the Army and the Navy worked separately, so we pushed them together. Now what we
now need to do is this great generation that is coming up with the neatest tools
on the internet, absolutely superb. This is absolutely a wonderful time. You
look at the kids and all the stuff that we have, absolutely superb. We now need
to figure out how we secure that. Not at the risk of civil liberties and privacy,
but balancing those for the good of the nation.
I think we need to dispel the rumors. That's not NSA or DHS, it's one team, for
the good of the nation. And we're there to support as DHS does its mission, and
we're there to do the critical national security systems in our part of the
mission and work with industry, academia, DHS and others to do that. A technical
I think when you see that, the great people that we have at NSA, we need to
leverage that. We have the world's center of gravity for crypto mathematicians.
We ought to leverage that for the good of the nation.
Finally, just to put a cap on it, we have great oversight. We self-report when
we make a mistake. We do make mistakes. And if you think about software and the
environment that we're working in, these mistakes are something that you
probably understand better than anyone. Vulnerabilities in code is a mistake and
when those vulnerabilities happen, things happen on the network and we take that
as an issue that we then take up to our overseers. We self-report. We fix it.
And we tell them what we're doing.
Bottom line, you have a tremendously hard job in securing these networks and for
what you do in industry and in government. A real tough job. We're there to work
with you as a team.
Thanks for the great work that you do. It has been an honor and a privilege for
me to be here today.
Thank you very much, folks.
 About the
ECM Mark II "SIGABA), see