Podcast- General and the Ambassador

Episode 28. Cyber Security: Foreign Attacks And U.S. Cyber Policy With General Keith Alexander And Cyber Coordinator Chris Painter

General Alexander and Coordinator Painter discuss U.S. responses to cyber attacks from Russia, Iran and China, the urgent need for stronger defense & cyber as a tool of national power.

This podcast episode was jointly produced by the American Academy of Diplomacy and Foreign Policy Productions

Listen on Itunes

Gen. Keith Alexander

Chris Painter

Episode Transcript:

Amb. McCarthy (00:02): From the American Academy of diplomacy and Foreign Policy Productions, this is The General and the Ambassador. Our podcast brings together senior US diplomats and military leaders to explore how they were able to tackle some of our biggest foreign policy challenges. I'm Deborah McCarthy. I'm the former US Ambassador to Lithuania and someone who spent over 30 years working in the US State Department. On today's episode, the US response to major cyber-attacks and how that shaped US cyber policy. Our general today is Keith Alexander, the former head of the National Security Agency and the US Cyber Command and our ambassador is envoy Chris Painter, the former State Department coordinator for cyber issues. In 2008 a cyber-attack caused the worst breach of US military computers in history. This event led to the creation of US Cyber Command and a rethinking of our entire cyber strategy.

Recording of Barack Obama (01:04): “From now on, our digital infrastructure, the networks and computers we depend on every day will be treated as they should be, as a strategic national asset. Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy, and resilient."

Amb. McCarthy (01:26): At the time, General Keith Alexander was heading the National Security Agency. He picks up the story from there.

Gen. Alexander (01:33): NSA had seen some information in foreign territory that was Defense Department classified information and we were concerned, something's wrong with the network. At that time, we were not authorized to go into the DoD networks without being invited in. It took us several days to get invited in and when we got invited in, we found 1500 pieces of malware on a classified network. Now that came to me on October 24th, a Friday, at 1630, all bad things happen in government on Friday afternoon, to screw up your weekend. What we did is two things. I called Secretary Gates and Admiral Mullen told them about the problem and what we found and then the guys that were working this, from NSA, were around a table with me and I said, okay, we found it. How are we going to help fix it? And they came up with the idea of building a system with the encryption and everything they needed to solve that problem. They built that system in 22 hours and put it on the network by Saturday at 1430. So it's amazing. We have another saying in the Defense Department, no good deed goes unpunished. I was in charge of the offense at that time. The defense was Global Network Ops, the Joint Task Force Global Network Ops. And we had the offense and the defense separate. The next Monday, the services came in, they wanted to count systems. We said, "no, no, it was a virtual attack. All the systems you had Friday are still here Monday." But Secretary Gates watched this, and over the next two weeks said, "okay," he sent a memorandum that would establish Cyber Command and he chopped the operational control of the defense to me. So now we have the offense and the defense together.

Chris Painter (03:23): And I should say that we weren't very mature across the board in the US government on this. You know, Keith just talked about the division between offense and defense at DoD. We didn't really have a group at the State Department that talked about, at that point, the diplomatic play and how to work with other agencies and FBI had been doing this stuff for awhile. And I still remember Keith when some of your folks brought over the horse blanket that described what cyber command would be, which is literally the size of a horse blanket. That's why they call it in terms of an organizational chart. And it really was a new concept. And at the same time we were writing, in the beginning of the Obama Administration, the Cyberspace Policy Review, the 90, the 60 day review, which was triggered by all this bad stuff happening and said, we really need to take a comprehensive look at this, including the military aspects and how we go after these things, but also the international aspects. So these two things were happening, or really across the government, we we're saying we have to up their game.

Amb. McCarthy (04:19): Chris, you were the first ever cyber diplomat, Cyber Coordinator for the entire globe reporting directly to the Secretary of State. What were your major targets? What were you aiming to build internationally to be able to better protect the United States?

Chris Painter (04:36): Yeah, I mean there were several different parts of this. One, just mainstreaming the issue at the State Department, making sure they understood this was an important issue. Externally it was really dealing at first with allies, but also building other partnerships, in part so we could exchange information, and in part to enhance our ability to go after these threats. You know, how we, we exchanged, you know, help law enforcement exchange information, military, DHS, the technical information, and the idea would be to work hand in glove with our partners in our interagency, but also, get other countries to join us. With the long-term goal, frankly, if you build these better alliances, and this is something we've done traditionally forever in the military area, but build these alliances even on a diplomatic level that we can then act collectively against some of these shared threats. So that that's the ultimate goal. And I think that's still being pursued now.

Amb. McCarthy (05:23): And our cyber defense policy now calls for defending forward, working with our allies to contest cyber activity and to sort of push the walls out. How does this work in practice, Keith? And you know, maybe NATO could be an example of what they're trying to build up today and and how they define cyber today.

Gen. Alexander (05:43): So there's a couple of things that go into this question of defending forward, if you will. First I think it's important to note, go back to 2007 and Estonia look at where technology was then. We had analog networks and we had digital networks and we saw that everything was going digital, but not everybody, nor were all the telecommunications digital. The iPhone came out in 2007, so what you see is this area is changing as we're adapting and developing policy, processes, and procedures. So I think it's interesting to look at the technical growth when Facebook, when Google, when Amazon and all these things take off when the cloud comes in. And now how do nation states work with this? In terms of defending forward, if you think about what's happening today in the Middle East, Iran is attacking our Gulf state allies, they did that in 2012, they attacked Saudi Aramco and then they attacked Wall Street and the financial sector with distributed denial of service attacks. The attack on Saudi Aramco was a destructive attack. What happened from my perspective, is we could not see the attacks into our allies. So when we see it first is when it hits us. It's like having a missile system, but you have no radars to see the missiles coming in. The first time you know there are missiles coming in is when you hear an explosion. That's a bad place to be. So defending forward from my perspective is now beginning to see what's hitting our allies and helping them and understanding it and see what's hitting us. Now there's two parts of this. You know, two parts on two levels. There's what State Department has to do and our ambassadors do. Then there's, what do you do from a treaty perspective? How do, how do we work NATO. When is it an act of war? And what are we going to do to help defend other countries that are being attacked? I think this is what we are now going to face and I don't believe we're ready for it yet because most people haven't gotten their heads wrapped around the fact that damage, significant damage, can be done. And oh, by the way, if they can hit eastern Europe 70 milliseconds later, they can hit us.

Amb. McCarthy (08:11): Well, I wanted to ask about the, precisely the attacks of 2012 that hit, it was a denial of service attack on all our major banks, and I, as I understand correctly, you both worked to basically push out and work with countries overseas to turn off servers and to stop the spread. Can you talk a little bit about how you did that? Because it gives us a concrete example of the international cooperation.

Chris Painter (08:36): Sure. I should say a couple things. One, in terms of the attack, which ended up being Iran and was going after our, our financial systems, and these, these were advanced nuisance attacks. They were denial of service attacks they were going after websites, outward facing things. They weren't getting into the back rooms of the banks or changing the settlement sheets or things like that. But it was serious, and to, to be fair, the banks were coming to us and saying, "look, you know, this looks like a nation state actor. Why should we be saddled with having to do all the protection on this?" And we evaluated a lot of different options, what the diplomatic play was, which turned out to be more effective than I think we thought, we never tried before, was we did what they call diplomatic demarches, which, you know, sounds like something where you yell at people, right? It just sounds like it'd be mean. And it usually is, it usually is, you send some diplomat in and they yell at the other side and nothing happens. But these were ones asking for cooperation. So the way these botnets work is they have different concentrations, can change very quickly all over the world. There were a lot that were centered in Germany, a lot centered in other [places], obviously a lot in the US too. One thing we're considering is how we knock down these botnets in other ways, in other technical ways, but we asked these countries, can you use whatever authorities you have to help us and take them down on your own. You don't want these things in your country either. And from a lot of countries we got a lot of cooperation and we also said, "look, if something happens to you, we want to work with you too." So I created that more cooperative setting against shared threats.

Amb. McCarthy (10:02): Did we get push back from some?

Chris Painter (10:04): We got pushback from some, but you know, look, I mean there were also botnets in Russia and China too, right? So, but you know, we got a lot of help from Germany, a lot of help from, from a lot of the European countries where these were being focused and some of the Asian countries. You know, that doesn't get rid of the problem totally, but it builds that muscle memory to do that again. And again, it's not the exclusive tool we should use, but it's one of the tools we need to have in our toolkit.

Amb. McCarthy (10:29): Well, we've identified China, Russia, North Korea, Iran as threats to the United States and that's in our current cyber strategy. And I wanted to turn and talk a little bit about...

Chris Painter (10:39): If I could just, before, because I know we haven't, um... so just on the defending forward issue, I do think we need to be more aggressive in going after enemies and contest them. And I think as Keith said, part of that is building alliances. There's this tension though that comes up, which is, when you are working with other countries, I mean, I remember one of, a Finnish colleague said, "does defending forward as close to the adversary as possible mean in Finland?" And it could mean that, it's cyberspace, right? So the question is there are times when you have to act unilaterally and there are times when you want to build alliances and you really gotta make sure you're thinking about both of those things, right? You know, Keith is quite right, cyber moves very quickly, but you want to build those alliances just like you do in the physical world with those countries, so you can act together. Some countries you can't do it. That's the way it is. But there are a lot of countries who were also just thinking about this. And, and I also agree with Keith, these countries need to take this more seriously too.

Amb. McCarthy (11:37): Well, I wanted to ask precisely on the issue of consequences, and I mentioned China a second ago, we did sign an agreement with China, whereby, amongst other things, they agreed not to steal any more intellectual property and obviously have not adhered to it. And I mean, we have named and shamed, we've indicted a number of Chinese. Beyond those tools, what other tools do we have in the toolbox to impose consequences for unacceptable behavior of countries such as China?

Gen. Alexander (12:07): So there's two parts to this, and that is we have to fix our defense. You know, we complain about China stealing our intellectual property, but we make it so easy for them. They're not going to stop. They'll, we can publicly say, yeah, we're not going to do it. Then they'll try to do it quietly, but they're going to take our intellectual property. We need to secure it. And right now, if you think about how we defend, every company defends itself, they can't see what's hitting other companies and the government can't see what's hitting them. There is no way to collectively defend our nation today. We need to fix that. That's the first part. The second part is if we fix the defense, then bring the government in, then the State Department, the Defense Department, the National Security Council can see what's happening. And it's beyond name and shame. It's, "I know you're doing this. Oh, by the way, I could block it technically, and we could do more." And I think we need to get it to that level. You know, this is my opinion, the greatest transfer of wealth in history. We're losing our future in intellectual property and China wants to fuel their economic engine. I think this is the biggest issue our country faces because it's now undercutting our economy. And I think that's going to hurt us in the longterm. And I do think we need to push back on multiple fronts, political, economic, diplomatic, and I think in cyber fix the defense and be prepared to repel them technically by cutting off their access into some of these sensitive areas.

Chris Painter (13:51): Yeah, and look, I think, uh, you know, naming and shaming certain countries, with China, they care a little bit about soft power, with Russia and North Korea you're not going to name and shame them. You have to do more than just call them out. I mean, calling them out is great. And if we can get countries to do that, that's a great predicate, but we've got to do more. With China in particular, I mean, it's an interesting thing, you know, they were, you know, essentially robbing us blind for a long time. And you know, I don't think we're very effective at either protecting our systems and intellectual property, I think we still have lots of holes now, you know 20 years after we started talking about this. I went back and read our 2003 cyber strategy that came out during the first Bush Administration. It's striking and kind of depressing how similar a lot of the things in there are to what we're trying to do today. So we need to get better at that. With China, one of the things we did differently, which I think helped and we have to move to, is Obama said this is not a cyber issue. This is a core issue of national security and economic policy, and one that we're willing to have friction in the overall relationship, as important as that relationship might be, because this is so big. And I think when he first told Xi about this, XI was like, "what is, what are you talking about? What is this cyber thing you're talking about?" You know, they didn't really understand why it was that serious. And I remember when we first raised it in a dialogue with the Chinese...

Amb. McCarthy (15:05): And you were part of those negotiations.

Chris Painter (15:06): Yea, I was part of those negations and I was part of the first group. We had one political and military dialogue with China on a number of issues and they always would like to talk about things like Taiwan. And we always want to talk about cyber.

Amb. McCarthy (15:20): So, a lot of talk.

Chris Painter (15:20): A lot of talk, but we, this is the first time we said, "look, we know you're responsible for this. We know you're responsible for this. We know you're responsible for that." And that wasn't an easy thing to do. We talked a lot to uh, to Keith's deputy, to Chris Inglis at the time, about getting good examples. We don't have to be that detailed. They know what they did, but you know, telling them this is important and we care about this. So I did that in this meeting and said, "We know you did this. We know you did this." The PLA, the deputy chief of the PLA General Ma just got really angry. He didn't say anything. He didn't want to say anything.

Amb. McCarthy (15:52): Did he turn red?

Chris Painter (15:53): He turned a little red. They went around the table, he didn't want to talk. And then he did talk and he, and you know, as you often hear from a Chinese officials, he spoke in terms of a metaphor and he gave a story and our translator said, I don't have enough time, I'll tell you what the story means later. But his story was, "You're wrong, you're mistaken. It's, it's like the story of the woodsmen who goes into the woods and he loses his axe and he goes home and he blames the neighbor boy because the neighbor boy just seems like the kind of guy who would steal his axe, and he comes back the next day and he sees the axe and he realizes he was wrong all along. And so really, it wasn't us, it's other things." And I said, "I wish you told me."

Amb. McCarthy (16:28): No wonder the translator said they didn't have enough time.

Chris Painter (16:30): Well, I actually wished he had told me that because I said to General Ma that night at dinner, "No, it's like the woodsmen who loses the axe. He goes back, the axe is still gone. But all the other woodsmen have very similar axes." So that, you know, it was a big deal. We pressed for over a year and a half. We got other countries to also pressure at a very high level at the prime minister and president level. And I think the only reason they came to the table quite frankly was because they wanted the visit in DC to run smoothly. There was a threat of economic sanctions, they thought about it in terms of the overall relationship. And they committed not to do it even though before they said there's no difference between espionage and economic espionage. And we don't do either, which was laughable. Uh, but getting them to the table was important. They did agree, and for a while we saw some change. I agree though, that if it's in their best interest, they're going to do it. And I think with the relationship now kind of tattered, there's no reason they feel they need to do it. And we need to kind of figure out how to do this. And one way is, it's great to agree, but we have to enforce those agreements by having, imposing costs and consequences. Not just cyber, but cyber should be in the toolkit, sanctions, other things. Nothing should be off the table, because if we don't, they're, they're empty promises. And that's, that's a problem.

Gen. Alexander (17:47): And we've got to fix our defense.

Chris Painter (17:49): Yeah, I agree. I agree.

Gen. Alexander (17:49): You know, we've, we've got to have a defensible architecture between government and industry.

Chris Painter (17:53): I agree with that.

Gen. Alexander (17:55): You know, it's, it's an area where, that's us to fix. That's not the Chinese, the Russians or anybody else. This is what we can do now to help ensure our future. And I think that's hugely important to get out in front of that. We lose more than it would cost to fix it.

Amb. McCarthy (18:12): And you've talked a bit Keith about having, you know, sort of a common operating picture to use a military term. So in other words, where you can see things in real time transmitted. Are we beginning to build that and allow certain information to be shared from the government with companies so they can respond?

Gen. Alexander (18:32): Well, I think this is an area where the recent acts, the size, the CISA [Cybersecurity Information Sharing Act] Act of 2014, 2015, began to authorize the sharing of that data and protecting in liability and other places. However, we're going way too slow, look at the rate of technological change and then look how fast we're going on the defense. It can't be, you know, I want to share stuff that's a hundred days old. You know, I found out about the attack, it happened a hundred days ago. Well, can you imagine if a missile attack hit? And then a hundred days from now we say, wow, I was wondering what happened to Denver. I hadn't heard from anybody from Denver for awhile. Darn.

Chris Painter (19:13): The depressing part of that, and I I completely agree with that, is that, that has been at least a stated priority now for 20 years and, and we can't, look, it's hard to do. I get that. And we have to have both the hardening of the targets, the defense that General Alexander is talking about, and we have to have the response when people try to break through those. But we got to treat this more like an urgent national mission. This cannot be on the back burner.

Amb. McCarthy (19:38): Well, this brings us obviously to the issue of Russia. I mean, Russia has gone beyond that. You know, it's not just IP theft, it's, you know, interfering in our elections. It is spreading disinformation, misinformation, whatever term you want to use on social media. And, it continues to harbor people such as Edward Snowden. So in the case of Russia, we've named and shamed, we've issued indictments, we have imposed some sanctions, and we have expelled a lot of diplomats. Are these sufficient?

Chris Painter (20:10): No, look, I think we have not done nearly enough to both impose costs on Russia for the conduct they've already done, but also to make sure that they understand that it's credible, there'll be a response when they do it again. You know, and I think that's been true of both administrations. I think that the sanctions and other activity we did at the end of the Obama Administration was just not timely enough and it wasn't enough. And it's not, it shouldn't be a political issue. We should do it no matter what. And then in this administration, yes there've been sanctions in place, but if we really had done targeted sanctions as one of the tools, they're going to really affect Putin and his cronies. The things he really cares about. There was a defense scientist board report on deterrence a couple of years ago that talked about tailored deterrent strategies for each of the different adversaries because there are different things they hold dear. And we needed to do that. And then we haven't even had consistent messaging. I mean, no, and look, this is just an unfortunate thing. You could have great people in the administration doing great things, the FBI, DHS, and others. But if at the top, at the, at the commander in chief level, at the presidential level, if they're calling doubt into whether this actually happened, that undercuts all those efforts. And if I'm Putin and I see that, why wouldn't I do it again? What costs am I really paying for doing that? Uh, you know, we should be disrupting their activity too. And there's been some stories about that recently. All good. But we need to also, you know, try to deter them in the future and do what we can and work with our partners to do that too because they are suffering some of the same issues

Amb. McCarthy (21:34): Are we seeing on Russia the same willingness to pull together a coalition to respond because of cyber attacks that we pulled together when they went into Ukraine? That Prime Minister May pulled together after the poisoning to take action? Are we seeing that in the cyber space?

Chris Painter (21:55): Not as fast as we'd like to see them. Yes, I think we're saying it. You know, there is this deterrence initiative that State and DoD have talked about, that's getting partners. You know, a likeminded group, big tent likeminded doesn't have to be the traditional Five Eyes allies, it can be beyond that. And the cyber people get this, right. The people who are at, you know, the cyber military people get this, the cyber people, the diplomats get this. But the, the leaders need to get this. And there is, and I go back to what I said about the Salisbury poisoning. That's a stark contrast that it took such a short time there because leaders get this, leaders get poisoning, they get physical things and how long it took to to go after Notpetya. And it's also, you know, and that was very destructive, that had a real effect. And Russians have not just been involved in election interference, but also other malicious and malign activities.

Amb. McCarthy (22:46): Can you explain a little bit what Notpetya was?

Chris Painter (22:48): I mean it was a big, you know, Keith probably is even better at that, but it was essentially a destructive computer worm that, according to some reports, was being tested in the Ukraine, but then kind of got beyond that and had huge economic consequences. It took down the Danish shipping giant Maersk and their operations, it hit lots of others. It caused a lot of damage.

Gen. Alexander (23:08): Yeah, so Russia was targeting Ukraine's tax software and unfortunately those countries that work with Ukraine needed to download that software and they were collateral damage. And the consequence, Merck, Maersk, all these companies got hit. And you can see cyber is being used as an element of national power by Russia on Ukraine to destabilize Ukraine. Probably didn't intend that everybody else should get hit, but too bad. Uh, we're okay. And it's interesting because it actually hit Russian companies too. So it's kind of like, you know, it's like throwing a hand grenade and four of the bad guys get it and four of the good guys get hit. You want to throw it further. I think the key issue on Russia and the elections is the fact that, fix our defense because Russia is, as Chris correctly said, this is kind of free to them. You're going to sanction me? That's not hurting. You already sanctioned me. I'm good. Now what are you going to do? And I do think Eastern European countries want to work with us in this area.

Amb. McCarthy (24:12): Absolutely.

Gen. Alexander (24:12): They clearly want to work. I've talked to many of the ambassadors on both the US and their side. They want to work. This is an area that we can and should work together.

Chris Painter (24:22): And I also agree, Eastern European countries, who are on the front lines of a lot of this, and certainly, you know, the Baltic countries...

Amb. McCarthy (24:29): Certainly in my time in the Baltics, the Lithuanians who, and others continued to be attacked, they stood strong with us on, on the Snowden issue and stand ready to work as closely with us as, you know, we let them. Absolutely.

Chris Painter (24:43): So I think this is the other thing that worries me a little bit is that the US needs to continue to demonstrate leadership across the board because this is a place...

Amb. McCarthy (24:51): Well certainly right now in the Department of State, we no longer have that Special Coordinators slot, it has been moved into the Economic Bureau, but it's not just an economic issue.

Chris Painter (24:59): Yeah, it was really weird. I mean, you know, like a lot of other things, when the new administration came in, I think that the then Secretary of State just didn't want direct reports at all. So I think, uh, the office was downgraded after about six months and it was, it was unfortunate because that sends a message, not that this is a priority, but it sends a message both to our friends, our allies who were like, what the hell's going on here? And to our adversaries who were like, okay, well they don't care about that this much.

Amb. McCarthy (25:26): Well, I wanted to ask in terms of, General, as a wrap up question, are we with our new defense, excuse me, our new cyber policies, are we moving to using cyber as a tool of our national power?

Gen. Alexander (25:40): From my perspective, yes. And I think we need to do that. Uh, and actually in 2011, President Obama in part of his statement said that he would respond to cyber attacks with all the elements of national power, including cyber. And so when you look at it, it goes back eight years. And I think that's correct. The answer is yes, we're going to use all elements of national power to respond to attacks on our country. Now the interesting part, if you're going to use cyber, my caution would be, be prepared to defend because if we start attacking others in cyber, they're going to attack us. And we have more to lose in cyber than other countries. As a consequence, that, that's why I'm so insistent that we fix our defense, both the commercial and the government side. It's, it's our biggest vulnerability. And I also, you know, I do like, and it was a great learning experience working with Chris, State Department, Homeland Security and all these, with Cyber Command and NSA. At the end of the day, we are an innovation nation. We helped create the Internet. We have the technology to defend it. We could make a lot here and right now it's just the opposite. We're losing and we need to get out in front of that.

Chris Painter (27:05): And, and I'd say a couple of things first. That statement that General Alexander just read, that was in our 2011 international strategy that we set that out, which was really trying to cover all the bases and it was really important. We meant that at the time. Now have we executed it enough? Probably not. The other thing is the teamwork was really important. I remember, uh, shortly after my office got created, Keith had me and my team go out to NSA and Cyber Command for a day. And I think that was a really good team building exercise and having those meetings were important. We need to do that across the government. We can't, we can't do this in stovepipes, it's really important to do that. And the last thing I'd say is, we have to be careful about certain things. We're creating precedent here. We have to be cautious in building alliances too and not just do things unilaterally. I think that's important. But I also think we've been overly risk averse sometimes. I agree. We're more vulnerable than anyone else, but sometimes we self-deter by not wanting to do anything because we're so worried about it. We need to build ways to have better connections even with adversaries so that we can deescalate if we need to, but we can't just sit on our hands.

Amb. McCarthy (28:10): Well we want to thank you for explaining it to a number of our listeners because it isn't an easy issue and also want to thank you because I know you're both extremely committed to the issue. You continue to exercise leadership in new and creative and different ways and I think that's extremely important because you are part of the backbone and infrastructure of our cyber defense.

Gen. Alexander (28:35): Well, thank you, Ambassador. It's an honor to be here and Chris, good to see you again.

Chris Painter (28:38): Good to see you, Keith. Thank you.

Amb. McCarthy (28:41): And that's it for this episode of The General and the Ambassador. My guests today were General Keith Alexander and former US Cyber Coordinator, Chris Painter. This program, The General and the Ambassador is a project of the American Academy of Diplomacy and the Una Chapman Cox Foundation. You can find lots more information, including full bios on our guests on our website, generalambassadorpodcast.org. I'm Ambassador Deborah McCarthy. Thank you so much for listening.