Prepared Statement of GEN (Ret) Keith B. Alexander* on Cyber Warfare Today: Preparing for 21st Century Challenges in an Information-Enabled Society before the House Armed Services Committee April 11, 2018 Chairman Thornberry, Ranking Member Smith, Members of the Committee: thank you for inviting me to discuss the current threats and challenges that we face as a nation in cyberspace and how we might modify our current policies to address these problems. I applaud you both for approaching these issues in a bipartisan, strategic manner and for the series of hearings and briefings that today’s panel kicks off. I know that you will hear later today from some of our government’s leaders in this area in both an open and closed setting and that you’ll be focused on operational and budgetary matters in upcoming sessions, so my plan today is to set out some of the larger trends and issues that I see facing our nation and to put on the table some initial ideas about how these issues might be addressed. Mr. Chairman, as you know, I’ve long been an advocate for the view that in the modern era of threats that face our nation, we must fundamentally rethink our nation’s architecture for cyber defense. Today we face strategic threats in cyberspace from two nations that have long been our key adversaries in this domain: China and Russia. We also face tactical threats from a range of actors, including increasingly active nation-states like North Korea and Iran, as well as wide array of non-state actors from criminal gangs to terrorist groups. And some of these latter actors are working on behalf of, or alongside, the nation-states that are also operating against us in the cyber domain. And while we increasingly recognize these threats as a nation, and as our government becomes more open and robust about calling out those who would threaten our national security, we still remain overly cautious about making hard decisions regarding the appropriate roles and responsibilities of the government and the private sector. Even as our nation maintains the lead in technological innovation and builds our economy based in significant part on growth in the technology sector, I worry that we are not yet ready as a nation to grapple with the reality that cyberspace has become a domain for warfare and that we very much are in the throes today of a series of ongoing—albeit currently low-level—conflicts in cyberspace. 1 * Gen. (ret.) Keith B. Alexander is the former Director, National Security Agency and Founding Commander, U.S. Cyber Command. Gen. Alexander currently serves as President and CEO of IronNet Cybersecurity, a startup cybersecurity firm and in a range of other capacities in the public and private sectors. Gen. Alexander is testifying before this Committee today in his personal, individual capacity. 1 See, e.g., Office of the Director of National Intelligence, Worldwide Threat Assessment of the U.S. Intelligence Community, at 5-6 (Mar. 6, 2018) (“The risk is growing that some adversaries will conduct cyber attacks—such as data deletion or localized and temporary disruptions of critical infrastructure—against the United States in a crisis short of war….Russia, China, Iran, and North Korea will pose the greatest cyber threats to the United States during the next year. These states are using cyber operations as a low-cost tool of statecraft, and we assess that they will work to use cyber operations to achieve strategic objectives unless they face clear repercussions for their cyber operations…. The use of cyber attacks as a foreign policy tool outside of military conflict has been mostly limited to 1 The recent National Security Strategy (NSS) released by the White House makes clear what we have long known: economic security is national security. 2 As the NSS makes clear, “[a] strong economy protects the American people, supports our way of life, and sustains American power…[and a] growing and innovative economy allows the United States to maintain the world’s most powerful military and protect our homeland.”3 At the same time, we’ve long known that our economic security is being challenged directly in cyberspace by nations, like China, that continue to siphon off massive amounts of economic wealth through the theft and coerced transfer of the very intellectual property that is at the heart of our modern economy. 4 Our national security is even more directly threatened by nations like Russia who have engaged in obvious efforts to undermine confidence in our political system,5 have sought to put in place long-term penetrations in critical infrastructure sectors in order to conduct espionage and prepare the battlespace for potential future conflict scenarios, 6 and have conducted what our government recently referred to as the most “destructive and costly cyber-attack in history.”7 sporadic lower-level attacks. Russia, Iran, and North Korea, however, are testing more aggressive cyber attacks that pose growing threats to the United States and US partners.”), available online at 2 The White House, National Security Strategy of the United States of America at 17 (Dec. 2017), available online at . 3 Id. 4 See, e.g., The White House, Remarks by President Trump at Signing of a Presidential Memorandum Targeting China’s Economic Aggression (Mar. 22, 2018) (statement of U.S. Trade Representative Robert Lighthizer) (“Lighthizer:… Technology is probably the most important part of our economy. There’s 44 million people who work in high-tech knowledge areas. No country has as much technology-intensive industry as the United States. And technology is really the backbone of the future of the American economy….And we concluded that, in fact, China does have a policy of forced technology transfer; of requiring licensing at less than economic value; of state capitalism, wherein they go in and buy technology in the United States in non-economic ways; and then, finally, of cyber theft.”), available online at . 5 See, e.g., U.S. Department of Treasury, Treasury Sanctions Russian Cyber Actors for Interference with the 2016 U.S. Elections and Malicious Cyber-Attacks (Mar. 15, 2018) (“Today’s action counters Russia’s continuing destabilizing activities, ranging from interference in the 2016 U.S. election to conducting destructive cyber-attacks, including the NotPetya attack, a cyber-attack attributed to the Russian military on February 15, 2018 in statements released by the White House and the British Government.”), available online at . 6 See, e.g., Department of Homeland Security, Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors (Mar. 15, 2018), (“This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors….DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”), available online at ; see also Worldwide Threat Assessment, supra at n. 1 (“In the next year, Russian intelligence and security services will continue to probe US and allied critical infrastructures, as well as target the United States, NATO, and allies for insights into US policy.”). The White House, Statement from the Press Secretary (Feb. 15, 2018) (“In June 2017, the Russian military launched the most destructive and costly cyber-attack in history….The attack, dubbed ‘NotPetya,’ quickly spread 7 2 And these threats don’t even account for the fact that our government has recently called out similar IP theft and destructive attacks by both Iran8 and North Korea.9 At the same time, even though we are currently in the middle of a very real series of (minor) military skirmishes in cyberspace, and even though our Constitution has made clear for over 200 years that one of the core missions of the federal government is to provide “for the common defence,”10 we remain woefully underprepared as a nation to provide effectively for such defense in the cyber domain. This is not to say we don’t have the forces or capabilities in place to do so. The creation of U.S. Cyber Command under my watch within the Department of Defense, with the strong support of this Committee and its members, as well as Cyber Command’s continued close work with the National Security Agency, the world’s premiere signals intelligence agency, provides our nation with very real and robust capabilities in both the offensive and defensive areas, capabilities that have the ability both protect our nation writ large and to make cyber deterrence a reality in the global arena. However, the problem is not fundamentally one of force structure at this point. It is one of roles, responsibilities, authorities, and relationships. And on this account, there remains a great deal more to be done. While this Committee has leaned forward and pressed the Department to think more actively about its capabilities, authorities, and warfighting doctrine when it comes to the cyber domain, I remain concerned that we have not yet really grappled with two major issues when it comes to the defense of the nation in cyberspace: (1) how we organize ourselves as a government to defend, fight, and win in this domain; and (2) how we build real jointness between the public and private sectors in what is inevitably going to be a conflict that requires worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas.”) available online at . 8 See, e.g., Department of Justice, Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps (Mar. 23, 2018 (describing Iranian hackers that “conducted a coordinated campaign of cyber intrusions into computer systems belonging to 144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.”), available online at ; see also Worldwide Threat Assessment, supra at n. 1 at 6 (“Iran’s cyber attacks against Saudi Arabia in late 2016 and early 2017 involved data deletion on dozens of networks across government and the private sector.”), available online at . 9 See, e.g., The White House, Press Briefing on the Attribution of the WannaCry Malware Attack to North Korea (Dec. 17, 2017) (“In May of this year, a dangerous cyberattack known as WannaCry spread rapidly and indiscriminately across the world. The malware encrypted and rendered useless hundreds of thousands of computers in hospitals, schools, businesses, and homes in over 150 countries….This was a careless and reckless attack. It affected individuals, industry, governments. And the consequences were beyond economic. The computers affected badly in the UK and their healthcare system put lives at risk, not just money. After careful investigation, the United States is publicly attributing the massive WannaCry cyberattack to North Korea.”), available online at . 10 See U.S. Const., preamble. 3 both the government and industry to act with speed and vigor if we are going to truly be able to defend the nation. Over half a decade has passed since 2012, when then-Secretary of Defense Leon Panetta made clear that it is the U.S. government’s policy that “the Department [of Defense] has a responsibility…to be prepared to defend the nation and our national interests against an attack in or through cyberspace”11 and this year’s National Defense Strategy highlights the importance of providing such defense, noting that It is now undeniable that the homeland is no longer a sanctuary. America is a target, whether from terrorists seeking to attack our citizens; malicious cyber activity against personal, commercial, or government infrastructure; or political and information subversion…[And the] increasing digital connectivity of all aspects of life, business, government, and military creates significant vulnerabilities. 12 And yet, as this Committee all too well knows, the reality is that today, U.S. Cyber Command lacks the clear authorities and rules of engagement to make this policy effective. While many are rightly concerned with providing authorities prior to the beginning of a conflict, the reality is that in this domain, more than others, we need to ensure that our warfighters can act with speed and agility when the enemy strikes. And structured properly, with appropriate civilian oversight, reporting to Congress, and additional authorizations, the government can effectively mitigate any major concerns with providing such authority now. Indeed, given the potential for overreach, there are significant benefits to working together now, in a bipartisan manner, to provide U.S. Cyber Command with the appropriate authorities and key rules of engagement (ROE) in the relative calm of the current moment rather than making policy in the maelstrom of an ongoing crisis. But simply providing Cyber Command with robust authorities and solid ROE is not enough. The reality today is that the vast majority of American cyber infrastructure is owned and operated by the private sector and, as a nation, we do not want the government to maintain a long-term, active presence on private sector networks to provide defensive capabilities. As a result, it is critical that that government works closely with the private sector in three areas: (1) setting the conditions for a truly defensible cyber infrastructure; (2) significantly empowering private sector defensive capabilities; and (3) providing for interoperable capabilities and joint exercises in the event that a national crisis requires the government to assist the private sector in a more direct manner or to respond directly against a threat to the nation. To set the conditions for a truly defensible cyber infrastructure, we must recognize a basic fact about the cyber threat environment today: namely that no single entity—whether a private sector company or a government agency—can stand alone against the most capable threat actors. 11 See Department of Defense, Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security, New York City (Oct. 11, 2012), available online at . 12 See Department of Defense, Summary of the 2018 National Defense Strategy (Jan. 19, 2018), at 3, available online at . 4 Indeed, in no other area do we expect individual private companies to defend themselves against nation-states. For example, while we reasonably expect Target to have high fences and armed guards around its warehouses to protect against thieves, we surely don’t expect Target or Walmart or any other American company to have surface-to-air missiles on the roofs of those warehouses to defend against the threat of a Russian bomber dropping munitions. 13 And yet today, when it comes to cyberspace, we expect exactly that. This policy simply makes no sense; expecting individual companies, standing alone, to defend themselves against all comers, including nation-states—which, to be fair, is our current expectation—is a policy designed to fail. Instead, as a nation, we need to move to a collective defense architecture both within the private sector, as well as between the public and private sectors. The good news is that we have already taken significant steps in this direction, with various sectors creating information sharing and analysis centers and organizations (ISACs/ISAOs) and the government crafting legislation to encourage information sharing amongst companies as well as with the government. The reality, however, is that even with these organizations in place, we still have yet to create the right incentives to share information at scale and speed within the private sector and with the government.14 To be sure, some sectors, like the energy and financial sectors, are beginning to lead in this space. But more remains to be done, both as a matter of policy as well as authorities. We must increasingly think of our critical industries not just as a coalition of key companies and sectors, but as a set of strategic assets that require a combined, joint arms effort to defend them. Much good intellectual work has been done in this space including: (1) discussions about creating and empowering a Strategic Infrastructure Coordinating Council (SICC);15 (2) the extremely valuable and practical recommendations of the National Infrastructure Advisory Council (NIAC);16 and (3) the notion of creating a public-private advisory body to the National Security Council (NSC) in the form of the National Cybersecurity Public-Private Partnership 13 See, e.g., Keith B. Alexander, et. al, Clear Thinking About Protecting the Nation in the Cyber Domain, 2 Cyber Defense Review 29, 33 (No. 1) (2017) (“The fact is that commercial and private entities cannot be expected to defend themselves against nation-state attacks in cyberspace. Such organizations simply do not have the capacity, the capability, nor the authority to respond in a way that would be fully effective against a nation-state attacker in cyberspace. Indeed, in most other contexts, we do not (and should not) expect corporate America to bear the burden of nation-state attacks. For example, we do not expect Target to employ surface-to-air missiles to defend itself against Russian planes dropping bombs in the United States. Rather, that responsibility belongs to the DoD. Today, however, in cyberspace, that expectation is flipped on its head.”) 14 See Keith B. Alexander, Prepared Statement on Cyber Strategy and Policy before the Senate Armed Services Committee (Mar. 2, 2017) (“The cyber legislation enacted by Congress last year is a step in the right direction; however, it lacks key features to truly encourage robust sharing, including placing overbearing requirements on the private sector, overly limiting liability protections, restricting how information might effectively be shared with the government, and keeping the specter of potential government regulation looming in the background”), available online at . 15 See, e.g., Electricity Subsector Coordinating Council, ESCC Initiatives (Jan. 2018), available online at . 16 See, e.g., Department of Homeland Security, National Infrastructure Advisory Committee, Securing Cyber Assets: Addressing Urgent Threats to Cyber Infrastructure, at 3-4, 7-20 (Aug. 2017), available online at 5 (NCP3),17 as recommended by a recent Presidential commission that I served on alongside key individuals from the private sector including the former CEO of IBM, Sam Palmisano, and the CEO of Mastercard, Ajay Bangha. But the time for purely intellectual exercises has passed; it is now critical that we begin taking the right steps to implement these ideas in practice. When it comes to empowering private sector defensive capabilities, here too the government can and should do more. For far too long the government has talked about the need to share threat information at speed and scale with the private sector. But continued talk will mean little if the day comes to pass where the government knew of a major threat to the American private sector that it could have helped defend against and but didn’t share it in an actionable form, in realtime. The government must be prepared not only to share declassified information with the private sector in real-time and at machine-speed, but also must be prepared to use its overseas intelligence collection architecture to collect on threats to the American private sector and to pass on this information—even in its highly classified form—to the private sector, so that it may be utilized to defend industry. Similarly, if the nation is to become truly defensible, the government must work with industry to develop a cyber common operational picture, analogous to the air traffic control picture. Just as the air traffic control picture ensures aviation safety and helps synchronizes government and civil flights, a cyber common operational picture can help synchronize our national common cyber defense and enable rapid response in a time of crisis. Finally, the government and industry ought to work together to develop interoperable capabilities that can be utilized in a crisis and to exercise these capabilities in advance of an actual threat. Such efforts, as recommended by the NIAC, 18 will allow the nation to have a plan and capability in place should the need arise in case of an actual cyber conflict scenario. As a former commander of forces deployed around the world, I also feel strongly that unity of command is critical. Today we divide responsibility for the ongoing, day-to-day defense of the government amongst various agencies, including Cyber Command and DHS. We likewise divide responsibility for private sector outreach and collaboration on cyber defensive efforts between Cyber Command, DHS, and FBI. To that end, it is my view that in the time of a crisis, all of these capabilities have got to come under a single authority. And while I know this will be a hotly debated recommendation—not to mention where the authority ought to reside—the reality is that while we have gotten away for a quite a while with various agencies stepping on one another’s toes, more must be done going forward to get the government working more closely together if we are to be able to respond effectively in a crisis scenario. At a minimum, as the government debates and discusses the wisdom of such a larger effort, at least within the White House, the President ought to immediately elevate existing roles by appointing an Assistant to the President for Cybersecurity who reports to the President through the National Security Advisor and charge that individual with leading national cybersecurity policy and 17 See, e.g., Commission on Enhancing National Cybersecurity, Report on Securing and Growing the Digital Economy (Dec. 1, 2016), at 14-15, available online at . 18 See, e.g., Department of Homeland Security, National Infrastructure Advisory Committee, Securing Cyber Assets: Addressing Urgent Threats to Cyber Infrastructure, at 8-9, 18 (Aug. 2017), available online at 6 coordinating implementation of the nation’s cyber protection program and taking input from the recommended NCP3. In sum, Mr. Chairman, I think much remains to be done to create a truly defensible national cyber architecture. But I believe that we can get there, particularly with the support of this Committee and its leadership, reaching across the aisle to solve this truly national problem. I stand ready to assist you, the Ranking Member, and the other members of this Committee and your staff to work on this effort. Thank you to both you and the Ranking Member for your leadership and for holding this hearing. I am prepared to answer any questions you or the members of the Committee may have. 7