Former National Security Agency Director Gen. Keith Alexander wants government to take a more active role defending private-sector networks from cyberattacks and he thinks President Donald Trump can help make that goal a reality.
Alexander was one of several cybersecurity experts who met with Trump and former New York City Mayor Rudy Giuliani shortly after the inauguration to discuss early-stage plans for a major government push on cybersecurity.
Alexander declined to provide details about the closed-door portions of that meeting, but told Nextgov he was impressed with the new president’s demeanor and his interest in the issue.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
“I was impressed with the way he took on advice and came back with questions,” Alexander said. “I think, if the nation could have sat in and watched it, they would have said, ‘that’s our president; that’s what we need done.’ I’m very upbeat based on that.”
He also hopes Trump will allow the Defense and Homeland Security departments to pivot from responding to private-sector breaches and cyberattacks after they happen to more actively preventing adversary nation-states and other cyberattackers from penetrating U.S. companies’ networks in the first place.
“Here’s the question: Is defense of the country incident response or preventing an attack?” Alexander said. “In the [Obama] administration, it was incident response. That means after the attack. That means, the missile landed and blew up the city and now, we’re in there cleaning up. If that’s your city, you’d say, ‘we’d like to stop that missile' and that’s what we should be doing [in cyberspace] in my opinion.”
Industry, however, has been hesitant to share the sort of information about its internal networks that would allow government to help repel an attack before it happens—partly because of concerns about government surveillance prompted by NSA information shared by leaker Edward Snowden.
Legislation signed by Obama in 2015 shielded companies from legal liability in exchange for voluntarily sharing cyber threat information with the government and nevertheless took many years to pass.
Nextgov spoke with Alexander on the sidelines of the RSA Cybersecurity Conference in San Francisco. The transcript that follows has been edited for length and clarity.
Nextgov: President Trump has said he wants to make government cybersecurity a major priority. What should he do?
Alexander: If you were to step back and look at government at large, the biggest problem that you see is antiquated infrastructure, IT staffs that are not fully resourced with the best talent, departments and agencies struggling to maintain the competence levels that they need.
Especially on the civilian side of government, the first thing that comes to mind is, if we were a corporation, how would you start to consolidate? I assume that we’ll walk down the road.
Nextgov: Government has attempted to consolidate IT numerous times in the past and run into a lot of stumbling blocks.
Alexander: This is where President Trump will come in. It’s a business decision. If we were running government like a business, we’d do this. It’s the logical thing to do and you’ll save money and get better security. So, get on with it. Departments and agencies will say, ‘I don’t want to do this because I don’t want this guy to run my stuff.’ The reality is, get over it.
Nextgov: It sounds as if you’re bullish on Trump’s business experience making a difference.
Alexander: Everybody has some levels of reservation, but I’m bullish because I think he’s going to approach this—[and this is] why he was elected—as a business person vs. a politician. You want to save money? You want to do a better job? Here’s how you do it. Wha-chhhh! [Karate chops the air.] Everyone says, ‘well, there’s political things.’ ‘I’m not looking at politics. If you’re running the government like a business, you’d do it today.’
Nextgov: Will this mean more opportunities for cyber and IT contractors?
Alexander: I think those opportunities will probably remain consistent. The key would be those firms that can see the vision of where you’ve got to go.
Nextgov: Do you expect something that goes beyond consolidating and improving IT and security?
Alexander: Step two would be, OK, what’s the role of government?
There’s actually two sets of roles and responsibilities for government: to protect themselves and their data and to protect the nation. You have to have a mechanism of sharing information that can go at networks speed—information about attacks that are coming in at networks speed that the ‘defend the nation team’ can see.
Nextgov: Does that mean more cyber threat information sharing between the Homeland Security Department and critical infrastructure?
Alexander: It actually goes far beyond that. What’s DHS’ job?
Nextgov: To protect the nation domestically?
Alexander: No, DHS’ job is actually incident response and to set standards. DOD’s job is to protect the nation. If the nation is under attack, DOD is supposed to respond, but DHS is the ones that sees [the attacks].
Nextgov: But there are gray areas like the Sony breach where DHS is the lead response agency because they don’t reach the level of armed attacks against the U.S.
Alexander: I’m not a constitutional lawyer, but when you read the preamble to the Constitution, there’s a phrase in there: 'provide for the common defense.' You and I believe, as physical people here, that we’re protected from a foreign army coming in and shooting us. If a foreign power were to come in and destroy our infrastructure with bombs, should our military protect us? Yes. Now, what about when cyber is a prelude to that first step?
Nextgov: Do you think DOD should play a larger role in domestic cybersecurity?
Alexander: That’s where the administration has to sort out the rules of engagement. The real question is, should the constitution be re-written ‘for the common defense of some, not all, not you Sony and not you Target? If you’re hit by nation-state actors, well, sorry, good luck with that?’ No. It’s the common defense. And it’s hard, but it’s doable.
Nextgov: There was an early sense Trump might pivot to relying more on the military for domestic and critical infrastructure cybersecurity. Should he do that?
Alexander: I don’t know where specifically he’ll come down on that. I think what he’d say is, ‘how’s it going to work? Show me how you’re going to defend the country?’
I think the administration is wrestling with this. My experience, in sitting down with the president, is he was very thoughtful. He asked great questions. I saw a version of the president I thought the rest of the nation needs to see.
Nextgov: Are you concerned either the hiring freeze or the administration scandals so far will get in the way of the Trump administration accomplishing what you want it to?
Alexander: No. With the hiring freeze, the question is how much government do you need. The new heads of departments and agencies need to come in, look at what they have, where they can save, what they should do. That’s a good thing to do.
On the second part, I have no greater insight than you do on that. I think they’re going to do the right thing. Standing up a new team in government, even if you have 60 days to prepare, you can’t do all of it.
It’s in our best interest to see this country doing good and we should be doing the best we can to help the current administration, whether we voted for him or not, accomplish what’s good for our country. It seems to me that the rhetoric that was pre-election continues. My comment is: Wouldn’t it be better if we argued over how we help government get it right?
Nextgov: Do you think the concern about Gen. [Michael] Flynn [who recently resigned after acknowledging discussing sanctions relief with Russian officials before Trump’s inauguration] was a result of pre-election rhetoric?
Alexander: I wasn’t in the team in there. I’ve met him and knew him from before, but I didn’t work directly with him. I suspect that he did that for the good of the administration.
Nextgov: Should he not have resigned?
Alexander: I don’t know. I don’t know what went on the room, so it’s pure speculation. I will tell you, by and large, the team he’s selected are really good people.
Nextgov: The government presence at cybersecurity conferences has risen since you came to Black Hat in 2013 in the wake of the [Edward] Snowden leaks. Is that a good thing?
Alexander: It’s a good thing. This is not two nations, an industrial nation and a government. It’s ‘one nation, under God, indivisible’ and we haven’t done that. We’ve missed that in our approach. The government is here not for the government. It’s for the people and for industry. The more government reaches out, the more it talks to industry, the better it is and what industry and the people want is for the government to protect our nation.
We should be cheering them on like we do at the Olympics instead of nitpicking them like we do today. We’re running around fighting with each other and the bad guys are throwing arrows at us. We should be thinking about what we can do to fix government, defend our country, work with our allies. Do you think terrorists stopped and said: ‘They’ve got a new team in there. Give them a few months before we come in. Give them an even chance.’ That ain’t happening. Same thing in cyber.