Few individuals in the cyber security industry have had more positive impact on the direction and progress of our cyber defensive posture than Keith Alexander. Formerly Director of the National Security Agency, Chief of the Central Security Service, and Commander of United States Cyber Command, this retired four-star general of the United States Army now serves as the Founder and CEO of IronNet Cybersecurity. I feel so privileged to have had the opportunity recently to sit down with this luminary in his office in Maryland to get his candid take on topical cyber security issues such as advice to the President, information sharing, advanced heuristic analytics, network-speed capture of indicators, and other advanced concepts. His comments, as you might expect, are insightful and helpful as we all try to navigate the growing threat of cyber attacks in our current global environment.
EA: General, if the President were asking you today for your best advice about cyber security, and I know this would hardly be a new experience for you, what would you say?
KA: I would advise that we need to prepare now, and that we need to get the authorities to all the right parties. We need to be clear about what we expect from industry and what their authority is to protect themselves. And perhaps most importantly, we need to bring key players across government and industry together and rehearse how we will act in a crisis, including taking action in real-time to protect the nation. And this effort has got to be based on a coherent, intelligent strategy that doesn’t set unrealistic expectations or impose government mandates on the private sector.
EA: Do you think it is ever going to be possible for defenders to outsmart advanced nation-state adversaries?
KA: I do think it will be possible to outsmart them in tactical or small operations, but strategically this will be very difficult for industry. Indeed, it is fairly unrealistic for us as a nation to expect individual private companies to defend themselves against committed nation-state actors with huge budgets, advanced capabilities, and hundreds, if not thousands, of operators to throw at the problem. As a consequence, it is critical that private sector actors collaborate better with one another, in real-time, and on a 24x7 basis, not to mention that government and industry must work together, again in real-time, as needed in a time of national crisis.
EA: Has it been your experience that the offense, both in government and commercial settings, is getting better?
KA: Yes, the offense continues to get better. In fact, what is most troubling today is the recent increase we’ve seen in destructive cyber attacks conducted against private industry. In 2012, we saw destructive attacks against Saudi Aramco and Qatari RasGas, including 30,000 computers bricked at Saudi Aramco alone. And more recently, we’ve seen the destructive attacks here in the United States against Las Vegas Sands Corporation by Iran and against the Sony Corporation by North Korea. Look, the reality is that the offense is not only getting better, it is virtually likely to succeed at some level nearly every time. We need to shift from a posture of not only trying to stop attackers as they enter, but also in finding them quickly once they are in, before they can do real, extensive damage.
EA: What is the role of information sharing in cyber security today? Do countries such as the United States have sufficient legal cover for this to proceed properly?
KA: Information sharing – really threat intelligence sharing – is critical. Private sector companies need to work together, and sometimes even with the government, to truly defend themselves against the range and scope of threats in play today. And the starting point for that effort is the real-time sharing of actionable threat intelligence. While the recently enacted cyber legislation is a great starting point, providing clear legal authority to obtain and share cyber threat information and important liability protection, I think we could do more to incentivize sharing and to ensure that the right people have what they need to defend the nation. It is also my hope that industry and the government will continue to partner together on this effort.
EA: You’ve probably seen more sizes and shapes of cyber attacks than anyone in the world. What keeps you up at night today?
KA: I worry that our commercial sector and our government are not prepared for large cyber attacks. We fundamentally have not had the key national conversations we need to have about who is supposed to protect the nation from seriously capable, committed adversaries, and how we are going to make that happen. Today, we expect companies – large and small – to protect themselves against all manner of cyber threats. Of course, this is totally unrealistic and unfair to industry – we don’t expect them to defend themselves against nation-states in any other context, so why should we expect it in cyberspace? It’s not logical. At the same time, while the government is sorting all that out, I think industry can best help itself by right-sizing its cyber security investments and looking at tools and capabilities that can adapt to threat as it morphs and changes.
EA: What do you see as the primary technology gaps in cyber security today?
KA: In talking to chief information security officers (CISOs) around the country, the most common challenge I hear is how to make sense of the dozens and dozens of tools, individual capabilities, and data available to them. What I’ve heard them say is that they are looking for a comprehensive capability that can take the data they already have and build upon this data to address the tough use cases they face every day, making their analysts smarter and more capable of dealing with threats as they come at them.
EA: How important is it for advanced threat detection methods to operate at high capacity line speed?
KA: I believe it is absolutely vital. Recent reports show that intrusions and operations are moving at increasingly faster speeds, and if we want to mitigate future cyber attack events, then we need the speed to accomplish this as early as possible. And that means not just capturing at line speed, but employing Big Data analytics, also in real-time, at scale, and delivering both analytics results and the ability to mitigate at high speeds.