Clear and Present Danger: Cyber-Crime; Cyber-Espionage; Cyber-Terror; and Cyber-War
MODERATOR: Pete Williams, Chief Justice Correspondent, NBC News
SPEAKER: General Keith Alexander, Director, National Security Agency (NSA) and Commander, United States Cyber Command
LOCATION: Aspen Security Forum, Aspen, Colorado
DATE/TIME: Thursday, July 18, 2013, 5:30 p.m. EDT
Transcript by Federal News Service,Washington, D.C.
MS. : Well, good evening, everyone. Welcome. For those of us who have spent the day at the Aspen Security Forum, I think that there is no better way to cap off a phenomenal day that was somewhat provocative, always educational. I certainly think I speak for all of us that we're better informed than we were 24 hours ago.
So as we come to this evening's event – "Cyber, the Clear and Present Danger: Cyberterror, Cybercrime, Cyberespionage and Cyberwar" – who better to inform us than General Keith Alexander, the director of our National Security Agency, and – (applause) – and commander of U.S. CYBERCOM?
He is the longest-serving NSA director, serving nearly twice as long as any predecessor. And in 2010, General Alexander, who was feeling a little bit bored by only having one 100-hour- a-week job – (laughter) – raised his hand for CYBERCOM as well. And so for the past decades and certainly the last eight years, he has led our nation's efforts in defense and understanding,
and leads us into a robust discussion tonight about what the future holds.
I did a bit of study on the general, and I thought, when he testified in front of the Senate Appropriations Committee, he very concisely, as he does, summarized the enormity of our challenge. He said, "We operate in a dynamic and contested domain that literally changes its characteristics each and every time someone powers on a network device. Make no mistake, in light of real and growing threats in cyberspace, our nation needs a strong DOD role in cyberspace."
And on a more personal note, I don't know about you but I'm a little bit intimidated by General Alexander – two big jobs, four master's degrees – not all of his degrees, just four master's. He can tend to be an icon, so I decided I was going to do a little bit of study about who he was as a human, and I tell you, I was looking and looking and I didn't think I was going to be able to come up with anything. He's a superstar in all categories.
But I got to the point where in his confirmation hearings he was talking about his family. And the general has four daughters. I don't know when you had time for that. (Laughter.) And he has enough grandchildren to make all of us envious. But as he went through his confirmation testimony, he talked about his wife, Debbie, who grew up – they grew up together just two doors down. And he credited her not only for standing by him throughout his entire military career, but – and this is the human part – she occasionally lets him win at Yahtzee, OK? (Laughter.) So thank you, General, for taking time out of a spectacularly jammed schedule to join us.
Our moderator this evening, Pete Williams. Many of us have a date with Peter every night as we watch the news, but not everyone knows that he was previously assistant secretary of defense for public relations at the Pentagon, and since 1993 has been the correspondent covering the Supreme Court and the Justice Department.
So, General Alexander, welcome. And, Pete, the floor is yours. (Applause.)
PETER WILLIAMS: Thank you very much. Let me just ask – everybody hear us OK? Do we need to turn anything up, or we're in good business here? All right, very good.
General Alexander, I typed these questions up on my computer at home. What's the answer to number five? (Laughter.)
GENERAL KEITH ALEXANDER: Six. (Laughter.) That's classified.
MR. WILLIAMS: It's pi over 4. It's always pi over 4. (Laughter.)
Well, the president has said that he wants the nation to have a debate about these programs, so let's start right now. What are some of the misunderstandings that you have seen as these programs have become public?
GEN. ALEXANDER: Well, I think one of the things that we should start out with in answering that question, first and foremost is to put what's our mission in doing this? My mission, the mission of NSA and Cyber Command, is to defend this country. That's our mission.
And in order to do that we need programs that we didn't have prior to 9/11. And I think one of the biggest misunderstandings is what these programs do and what they don't do. And this is where you and any of your colleagues can really help us out, because from my perspective the most important thing we can do is inform the American people what these programs do.
And here's a case in point: I get a lot of questions about, are you reading my email; are you listening to my phone calls? And you think about the volume that's out there. And the answer is, with the business record FISA – and Raj De, I know, did a great job talking about this and I will pale in comparison, but I look at it – think of it as, well, how are you going to do that? How could you going to do that? How could you possibly do that, and what do we need? And the answer was, to solve 9/11 we needed some capabilities to connect the dots that we couldn't do prior to 9/11.
And if you think that we would listen to everybody's telephone calls and read everybody's email to connect the dots, how do you do that? And the answer is that's not logical. That would be a waste of our resources to get there. And from my perspective, what you need is a way to focus on the bad guy. And if you think about it, it's like looking at one of these large- screen displays, actually like looking at a thousand large-screen displays, each one with a picture element, and you've got a few billion picture elements in there. Find the bad picture element.
And in doing that, you've got to have a methodology for looking at the picture elements. That methodology is to use something we call metadata. Raj gave some great insights on metadata. It's the two-from (ph) numbers to find how we can track somebody like we did Basa al Melahlyn (ph) in 2007 in San Diego. It was based only on numbers.
And one of the key misunderstandings is, you're listening to our phone calls, you're reading our emails, for the American people. That's flat not true. What we're doing is we're collecting metadata to go after bad guys who use the same devices and the same equipment that we do. They hide amongst us to kill our people. Our job is to stop them without impacting your civil liberties and privacy. And so these programs are set up to do that, and I think – I think, from my perspective, we do a good job on it.
The second part is somebody says, well, if you do this – you know, this hop thing. And I like math. I thought math was a good thing. Everybody at NSA, we practice math. So the first hop is 40, second hop another 40, third hop is – they went up –
MR. WILLIAMS: OK, you've lost me. I have no idea what you're hopping toward. (Laughter.)
GEN. ALEXANDER: It's like Peter Rabbit.
MR. WILLIAMS: OK.
GEN. ALEXANDER: We'll get to that later.
MR. WILLIAMS: Before we get into hops –
GEN. ALEXANDER: OK.
MR. WILLIAMS: – let me just say, what you do – you have – let's talk about the phone program. You gather all this data from the phone companies and it sits in your big tank. What can you do? Can you munch on it and chew on it and do data mining, or does it just sit there until you have some specific question?
GEN. ALEXANDER: Yeah, it sits there. And that's a great question because the court restricts what we can do with that data. We can only look at that data if we have a nexus to al- Qaida or other terrorist groups.
MR. WILLIAMS: What does a nexus mean?
GEN. ALEXANDER: It means we have to show some reasonable, articulable suspicion that the phone number that we're going to look at is associated with al-Qaida or another terrorist group. So we come in, and as the example that –
MR. WILLIAMS: Somebody brings you a phone number.
GEN. ALEXANDER: Or we get one from our overseas collection. Remember we're a foreign intelligence agency. And I should have said up front, why are we doing this? Well, connecting the dots between what the FBI does in our country and what we do overseas, how do you connect the dots into what's getting into the United States?
We see from overseas, so from some information we got in Somalia, we saw some – we looked at a phone number, we said we know this is associated with al-Qaida, we looked at that phone number and we saw it touched a phone number in San Diego. And Sean Joyce, the deputy director of the FBI, was the one who said that was the Basali Muwalan (ph) case that they had started in 2003 but didn't have enough information to go up on. In 2007, we saw him talking to a facilitator in Somalia. We passed – all we have is the number. We don't know who it – a nine- digit number of 10-dignit number. We pass that – I guess they're 10 digits – we're going to be accurate – a 10-digit number to them. And they look at that and they go, ooh, this is Basali Muwalan (ph). They look up and said, four years ago we had a case. They reopened the case. They indicted, arrested and convicted Basali Muwalan (ph) of material support to terrorism.
MR. WILIAMS: OK, so that brings us back to hop. So somebody brings you a number and says help us – see what you can find. You find that that bad-guy number that you found in Yemen or somewhere is calling a number in the U.S. Now, can you just keep going to see who that person called infinitely on, or is there some limitation?
GEN. ALEXANDER: There is a limitation by the court, and there's a logical limitation. So the other one that we publicly released was the Najibullah Zazi. I practiced all day to say that one. (Laughter.)
MR. WILLIAMS: Local boy.
GEN. ALEXANDER: Local boy. We called him "Mr. Z." This was another case like that, and it gives you the hops. And I think it's important to discuss this because it puts into perspective a fallacy that's out there. So remember, our job is to help the FBI. Tremendous partners. You know, Bob Mueller and his team are absolutely superb, and we're losing a great individual as he retires. Twelve years, he's had.
Now, Najibullah Zazi. We were tracking an AQ operative in Pakistan. We saw this communications on a recipe for building something that looked like a bomb to a guy – an email address. We gave that email address, and inside there was a phone number. But we didn't know if the phone number was U.S. or foreign. We gave that to the FBI.
The FBI took that and said, hmm, this email address goes to Najibullah Zazi, and that's his phone number that was in the message. Based on that, knowing the nexus now, reasonable articulable suspicion to al-Qaida, we are now authorized to hop and see who is Nazibullah Zazi talking to and what are they planning?
The first hop was to a guy named Addis Medijunin (ph) in New York City. The second hop was to a group called Apa Waifai (ph), another operational group. And the third was to the Raleigh Eight. Now, the FBI was getting information on that same guy in New York City. This is in September of 2009, and they were going to conduct an attack in mid-September. And based on the way this moved, Customs, Border Patrol, our support, the tip – if it was not for the tip from FAA 702 that we gave, the FBI would not have seen that and they would have hit the New York City subways. That would have been the biggest event in the United States since 9/11, stopped by one of these programs and the great work by FBI and other agencies all working together.
MR. WILLIAMS: So what is the limit on the number of hops you can do?
GEN. ALEXANDER: So we're limited to three hops, but there's a logical limit. And I know somebody who's doing the math, this gets to 40. Somebody used 40 times 40 times 40. But number, 64,000, I think it is. Check me up. OK, so – then they want another hop. They want a fourth hop. We can't do that, and they got to 2 1/2 million.
Well, think about this. Our intent of doing the hops and look at this is not to see how many numbers we can give to the FBI, to see how long we can have them spend looking at numbers in a very sensitive investigation. The intent is to get this down to the right numbers that matter. So if we gave them 64,000 phone numbers and said, hey, go look up these – (laughter) – they would think we're idiots. We would prefer that they don't think that. (Laughter.) So what we do is we winnow it down and we say here are the ones that seem to matter, and then they can – remember, they had about seven days to break this case.
Think about that. They're already moving from Colorado to New York City. You have seven days to break it. If we gave them 64,000 phone numbers, said good luck with that, we're not helping. Our job is to help. The metadata program is designed to help connect the dots between what we see foreign and what we see in the U.S. without U.S. persons' name or content. It's metadata. The phone number to and from, the duration, and day, time (group ) of the call.
MR. WILLIAMS: So Edward Snowden has said in these interviews, some of these interviews he's done, that he had the capacity to – if he wanted to, he could listen to the president's conversations or anybody's he wanted. Can you do that?
GEN. ALEXANDER: No, we cannot. And you see, so those are some of the fallacies out there. You know, we don't – one, we don't have the technical capabilities. We're a foreign intelligence agency. To do that, you'd have to have AT&T and everybody else's networks all – and we don't. We'd have to go to them. And I know one of the things that you look at is, with these servers, we don't own and operate AT&T. We couldn't compel them to listen to those phone calls. That would require a warrant and probable cause finding. And under the FISA thing, we wouldn't have a reason to do that. That would be an FBI. You couldn't sit at my desk at NSA and do that. Couldn't possibly do it.
MR. WILLIAMS: So you have said that the disclosure of these programs is damaging. But explain something to us. I mean, we know that Osama bin Laden was so worried about having his communications intercepted that he used couriers. So, surely the bad guys know that we have the capacity to listen in on their phone calls and read their emails. How can the disclosure, therefore, of these programs be so damaging?
GEN. ALEXANDER: Well, it's our tactics, techniques and procedures for going after them. And what we're doing is, every time we talk about this, we take what I think are the most important tools that we have in our first line of defense for defending this country, and what we're doing is we're telling them here's our playbook, here's how we're stopping you; perhaps if you tried a different method, you'd be successful. And that's just plain crazy. What we're doing is irresponsible in this area. And I think it's significant and irreversible damage to our nation. And we've got to be clear on that.
The purpose of these programs and the reason we use secrecy is not to hide it from the American people, not to hide it from you, but to hide it from those who walk among you who are trying to kill you. How do we do that? That's part of the debate. How do we protect you and your civil liberties and privacy and still get the terrorists? And the answer can't be, well, we'll just tell them what we're doing, because what they're going to say is, OK, now we know.
MR. WILLIAMS: Well, have you seen any evidence of that?
GEN. ALEXANDER: We have. (Laughter.)
MR. WILLIAMS: So you have seen – well, what sort of evidence have you seen? (Laughter.) So to be clear, you have seen concrete proof that maybe people we used to be able to listen to are now silent?
GEN. ALEXANDER: We have concrete proof that they already – terrorist groups and others are taking action, making changes, and it's going to make our job tougher.
And here's what really, really hurts. And, you know, we have some great warriors sitting in the front row here, Carter Ham and Bill McRaven. Let's give them a big round of applause. (Applause.) Two guys in Iraq and Afghanistan, both of them. We had the honor and privilege of supporting them. And the whole role of NSA was to defend in those cases our troops abroad.
And what they did to take care of our troops and defend our nation was extraordinary. These tools are critical to defending them. And what we're doing is telling the enemy our playbook.
There's reasons we keep this secure. And it's not because we don't trust you. If we could just get all the American people in our huddle and say, OK, here's the game plan, we would do it. But the reality: Terrorists use our communications devices. They use our networks. They know how to plan around this. They use Skype. They use Yahoo. They use Google. And they are amongst us and they're trying to kill our people.
And as was mentioned, I have 15 grandchildren. I want to make sure they're safe. They're our future. And we ought to – that's something that we lived through in 9/11, and we said, never again. And what we have, from my perspective, is a reasonable approach on how we can defend our nation and protect our civil liberties and privacy. And so if you think metadata – think about the numbers that we went in in 2012. Less than 300 selectors were looked at.
MR. WILLIAMS: What's a selector?
GEN. ALEXANDER: Selector, phone numbers. Think of that as the number. So we had less than 300 selectors approved for 2012 to dip into that database. That's a very focused effort. It's based on a nexus to al-Qaida and terrorism. It's exactly what you would want your government to do.
MR. WILLIAMS: So to be clear, and – you – last year you only dipped into your phone number tank 300 times, is that what you're saying?
GEN. ALEXANDER: No. I'm saying that we had numbers that allowed us to dip in, and then we would dip in on that number and see if anything is changed periodically, based on the requirement of what that number is. And we would do one, two or three hops based on what we thought from the mission perspective was needed. And we issued a few dozen reports to the FBI. So a very focused program meant to connect the dots between the foreign intelligence agencies and the great FBI, and John Pistole there was the deputy director and a great partner.
MR. WILLIAMS: So one of questions is, you know, who needs to keep the data, whose tank is it? It's yours right now. But why not let the phone companies keep it? Let me ask you this question. Juan Zarate and Leonard Schrank wrote an op-ed in The New York Times
recently about how the Treasury Department does this with bank metadata. And in that case, it's the industry that keeps the data. And when the government wants it, it goes to industry, which has combined all the banking data put together. So could you do that with a phone company, say, you guys keep all this, and when we need it, we'll come to you?
GEN. ALEXANDER: And I know Dennis Blair talked about this earlier today, but you could technically do that. Now, it creates some operational problems that we'd have to work our way through. Specifically, you would have some data over here, some data over here and some data over here. And if you queried it and you got numbers that touched over to this database, you got to pull (out ?), touch this database, go back to this database, and you have to iterate through that, so it would mean –
MR. WILLIAMS: Well, but I'm thinking about something like the swift (ph) database, which is, you know, all the phone companies together form a consortium, for example, and put all this stuff in – but it's their tank and not yours.
GEN. ALEXANDER: So what we do is move the wire a hundred miles down the road. And that may be the best solution if you could come up, but you'd also have to change the legislation to require them to keep it and then have them keep it. And so then the issue is so how many people now have access to the data, and how is the court oversight go to that and how do you do that? Those are things that would have to be looked at. And these are actually issues that both the House Intel committee and the Senate Intel committee have asked. So they're looking at the same thing. Is it possible, what's the cost and what's the operational impact?
Now, as Dennis Blair said, we talked to the phone companies in 2009, and they said, OK, we prefer not to do that. Now, we could work that. I'm sure the government could come up with some way of working that with the companies. I think it's something that we should consider. I'm not against it.
MR. WILLIAMS: Well, if they're – I mean, I suppose the government would, number one, have to require them to do it and, number two, pay them to do it. But if it did and if that made the American people somehow feel better about the fact that it's not the government that has those numbers, operationally, from your perspective, would that be a problem?
GEN. ALEXANDER: Not operationally if you had the data in the same establishment that we have right now, no.
Now, there's one other thing that we should put in here. Everything we do is a hundred percent auditable. So every time we make a reasonable, articulable suspicion, we have to document it, and then all our oversight committees can look at, did they do it right – from the courts, Congress and all sorts throughout the executive branch. So no matter what we do, we'd still have that level of oversight so that you know that what we're doing is being audited by those committees, by Justice, by the courts so that everything that we're doing is exactly right.
And oh, by the way, none of this has been about us doing something wrong. It's not that we're doing something that's outside what we've been asked to do. We're doing exactly what we've been asked to do. Yet we do make mistakes. If we do make a mistake, we tell everybody in that chain what we did, what we're doing to fix it. And if it's with the court, the court hauls us down there. We have a discussion. Many of you may have been in front of a federal judge before. It's not a pretty scene. And for those who said that was a rubber stamp has not been in my shoes when we make a mistake.
So I would tell you I think if the American people could sit from where we sit and see how this is run, they'd say, that's exactly what you're – you should be doing. And I think it's the right thing to do. And, you know, when you – when you think about it, 300 numbers in a year, it helps stop – we talk – we were going to talk about, you know, how many – well, look at how many this helps stop, how many terrorist activities? Forty-two different – (audio glitch) – we caught people material support to terrorism, 54 that we pushed out, 13 in the U.S. And the only ones in the U.S. are the only ones that BR FISA could help on; in 12 of those 13, BR FISA had some role, whether it was to help or show (naught ?).
MR. WILLIAMS: Let me ask you about that number, if I may. So 54 plots you've talked about, or "terrorist events" I think is the phrase you used. In how many of those cases was it the phone program that was the red light? And in how many of those programs was the initial top from the other program we haven't talked about as much, which is the Internet program?
GEN. ALEXANDER: So FAA 702 is the other program. That's the one forn (ph) reaching inside based on a certification that this is, for example, CT, counterterrorism or others, that allows us to compel the carriers to go after it. We can come back to that point in a minute. Fifty-three of 54, the FAA 702 played a role in. BR FISA, or the business record FISA or metadata, can only apply to the ones in the U.S., and there are only 13 inside the U.S.; it applied to 12 of those 13.
Now, you asked a great question. And the answer – this is like putting together a puzzle, the dots. (Audio glitch) – the United States is to – (audio glitch) – to the FBI. And when you can't afford to do is what we did in 9/11, not have enough information to connect the dots. We all came together as a country and said, never again. We don't want another 9/11. And look at the track record since 2001. It's extraordinary what the FBI, CIA, NSA and Defense Department has done to protect this country is absolutely amazing.
And one more thing for the American people from my perspective, 41 one of those were with our allies. Seventy-five percent of the time, we help defend them with these programs. Germany, France, Denmark and other countries around the world benefited from what the United States did here. And from my perspective, that law – (audio glitch) – program that we have under court supervision is run better and has better oversight than just about any other country in the world.
MR. WILLIAMS: But if you mentioned the Zazi case earlier, and you say that the breakthrough there was seeing that he's emailing the bad guys saying that, you know, remind me again how do I make this bomb. And that's what then is the initial tip that leads to the phone numbers. So of those 54 cases that you've mentioned, in how many was the email program the initial tipoff? And how many can you say it was the phone program the tipoff?
GEN. ALEXANDER: Yeah, I don't have the numbers off the top of my head to break it out like that, but clearly, the FAA 702 with content based on knowing that's a bad guy has been –
MR. WILLIAMS: That's the email program.
GEN. ALEXANDER: – that's the email program – is much more effective in that regard. And the business record is starting back a step.
So let me clarify this so – to help all of us understand what we're talking about here – (audio glitch) – guys are, it's hard to go collect their email, right? So you can't take the first step and go in after Zazi if you don't know he's a bad guy. So you need a program using metadata analysis to find out who the bad guy is. If you try to just collect everybody's emails, they're never going to read them all. One, we'd have to have megareading classes a lot, and it would be operationally inefficient and ineffective to do it. So what you need is a metadata program to steer it.
What that means is we're a foreign intelligence agency. Our job is to go after foreign intelligence requirements. We don't listen to the people phone calls in Brazil just for fun or their – read their emails; it would be operationally ineffective to do that – nor do we do that in Germany. What do we do in Germany? Well, the counterterrorism is a great case in point. If we see a terrorist trying to get into Germany, we use a metadata to figure out who it is, we pass that to the German authorities. And if we got it from the FAA 702 and it's relevant to that, we'd pass that to the German authorities.
And you need those programs to work together because you can't do – look at the billions of email and the number of calls. It would require way more people, millions, hundreds of millions of people to do that. We could not possibly do it.
And so I think – you know, this is where – I think, in this debate, one of the things that we could do is help educate and inform the American people on this. And this is where – we have some of the best press people in the world in this audience. Don't raise your hands. (Laughter.) My understanding –
MR. WILLIAMS: We all would – we all would.
GEN. ALEXANDER: Yeah, sorry. One of them is right here. So my comment is, look, think about the math in this. Think about what we're trying to do. Help us defend this country and protect our civil liberties and privacy. And if anybody has a better way to do it than what we're doing today, we are – we want to hear that.
MR. WILLIAMS: Let me ask about – a question – you talked about your industry partners here. So today, Apple, Google, Facebook, LinkedIn, Yahoo, Microsoft, Twitter and several other computer and communication companies wrote a letter to the administration – one copied to you – saying that they want the legal authority to be able to publicly disclose the number – the scope and number of requests they get from you to disclose information. Would you be in favor of that?
GEN. ALEXANDER: Well, let me hit a couple of things. Yes, but I want to caveat that. First, these carriers are compelled to support us in these programs. They don't have a choice. Court order; they have to do this. And, you know, these are global companies. They are oftentimes compelled, if they have a headquarters in another country, to do the same thing – a lawful intercept program – they have to do that.
Now, from my perspective, what they want is the rest of the world to know is, we're not reading all that email, so they want to give out the numbers. I think there's some logic in doing that. And the issue really comes down to, these programs – there's two general fields for getting this. One is for criminal law enforcement that the FBI runs, and one is the national security side of that. And so the FBI and we are trying to figure out, how do you do that without hurting any of the ongoing FBI investigations? So that's the hard part. But the reality is, when you look at the numbers, and people look at that, they'll say, OK, this is a logical and reasonable program.
So they're working their way through this; we just wanted to make sure we do it right, that we don't impact anything ongoing with the FBI. I think that's a reasonable approach.
From my perspective, what the American people and the rest of the people of the world should know, what these companies are doing they're compelled to do. And I will tell you, they know that they're helping us save lives here and in other countries around the world, and that's good businesses, because there's more people that can buy their products. (Laughter.)
MR. WILLIAMS: This program is supposed to be about cyber – and don't worry; we'll get to that. But I have a couple of more questions that have arisen since this program was set up and the program was printed. May I ask you about Edward Snowden? I realize you can't tell us what he got, but do you feel now that you know what he got?
GEN. ALEXANDER: Yes.
MR. WILLIAMS: And was it a lot?
GEN. ALEXANDER: Yes.
MR. WILLIAMS: How did it happen? Didn't you learn your lesson from the Bradley Manning case that people aren't supposed to be able to plug stuff into your computers and just download it?
GEN. ALEXANDER: So the issue here is – many of you may already know that this leaker was a system administrator and ran the SharePoint account in NSA Hawaii. And so his responsibility was to move data. And as a system administrator, he also had access to thumb drives and other tools. So what we had is a person who was given the responsibility and the trust to do this job – betrayed that responsibility and trust and took this data.
Now, I know Dr. Carter (sp) talked about some ways of doing it – two-person rules, what we can do within DOD, what we can do across the intelligence community, and we're taking the actions to fix this.
MR. WILLIAMS: So what does that mean practically? That no one person can move a file? It takes two to do it?
GEN. ALEXANDER: And you limit the numbers of people that can write to a media. Instead of allowing all system administrators, drop it down to a few and use a two-person rule; close and lock server rooms so that it takes two people to get in there. This makes our job more difficult. It is the main reason we need to jump to the joint information environment – the thin virtual cloud, because in that, we can also then encrypt the data and ensure, if somebody were to steal it, it's encrypted. I think we also have to ensure that we make sure that people who need information to do their job have access to that information. That was one of the lessons learned; so we want to balance these two and get it exactly right.
So we have that. That's one of our jobs to fix. Since this happened at our place, on our watch, we're piloting that for DOD and for the IC, and we will fix this in our stuff. That's our responsibility, and we will do that.
MR. WILLIAMS: Do you have a way of distinguishing between what Edward Snowden looked at and what he actually downloaded and took? Do you have a pretty good idea of what he downloaded, and is there some order of magnitude you could tell us about? Was it millions of documents? Hundreds of thousands?
GEN. ALEXANDER: I really can't go into that, because that gets into the law enforcement side and that – (inaudible) –
MR. WILLIAMS: But what about the other part? Can you tell the difference between what he looked in the library and what he actually checked out?
GEN. ALEXANDER: OK. We have good insights to that, yes.
MR. WILLIAMS: Let me ask you about a comment made by a U.S. senator earlier this month. Let me quote what he said at a hearing. He said "we have heard administration officials defend programs like the one we've been talking about by saying they're critical to identifying and connecting the so-called dots. There's always going to be more dots to analyze and collect and try to connect. When government is collecting data on millions of innocent Americans on a daily basis, when is enough enough? Just because we have the ability to collect huge amounts of data doesn't mean that we should be doing it."
So when is enough enough, or will you always want more?
GEN. ALEXANDER: Well, I think the issue is, what does it take to stop a terrorist attack? I mean, this is the real issue, because we're not playing in this data to just while away our time. What we're trying to do is find out what the terrorists are doing. What we're doing is defending our troops forward. We're trying to defend this country. And what we know from 9/11 is, we didn't have enough information to connect the dots. We know that these two programs have helped us do this. We know that the damage caused by this information going out is significant and irreversible and will make it more difficult in the future.
But from my perspective, what we don't want to do is starting saying, well, let's cut back a little bit and see where the edge is and say, OK, a terrorist attack occurs; step forward one step. It's not like that. When you look at what we're asking the FBI to do to defend this nation against terrorist attacks, time is of the essence. Sean Joyce did a great one at the 16 June, and I don't have it here with me – I know I was supposed to memorize it, but the value of an American citizen is priceless. That's our – that's our friends, that's our family. That's what we vowed to take care of. That's our job, is to defend this nation. And what we're not asking is for data that we're going to just trawl through. It would be – but we do need the information to protect this nation. And we have more oversight on this program than any other program in government that I am aware of.
MR. WILLIAMS: So let me say as a program not here, we started about five minutes
late, so I'm just going to go about five minutes longer. And if anyone here tries to stop us, there's a guy in uniform next to me; good luck with that. (Laughter.)
There was a fair amount of discussion here today about relevance, because the law that allows you to get this phone data says you can order companies to turn it over if it's relevant to an investigation. And the question has arisen several times here today. How can every phone record in possession of a telecommunications firm be relevant to an investigation? What's your answer to that?
GEN. ALEXANDER: So the issue is – what you can't do is, if you don't know who the bad guy is – so let's say you have a million dots on the screen, and you're not allowed to collect any until you have a problem and say, OK, I now have a question, and somebody says, what's the question? I have this number. And you say, you didn't ask about that number. We don't have anything on that number. Well, why not? Well, you didn't – you didn't keep it? Well, why not? Well, we didn't know it was relevant. So we argued that. The courts argued that. Justices argued that. And said well – so you need the data – you need the haystack to find the needle. If you don't have it, when you go to ask it, it's not going to be there.
MR. WILLIAMS: But this answer seems like the old gag about the guy who's lost his watch, and someone says, why are you looking here? He says, well, I lost it down the street, but the light's better here. I mean – (scattered laughter) –
GEN. ALEXANDER: No, that – in fact, it's just the opposite. What it's saying is, if you only look under the light, you won't find your watch. And if you only go with the numbers you know, you won't find the 9/11 guys in it because you didn't know about it. So how do you find Midar in California? And the answer was, shoot, we didn't have his numbers. We didn't have the numbers to look at. We didn't have a database to go. We needed that database. And so that's why we put this together, to solve the Midar case. And for –
MR. WILLIAMS: Well, from a legal perspective, is the government basically saying that it's OK to gather this stuff, and you should only be concerned about it when we actually look at it? We should – we should think about this in terms of when you look at it rather than when you gather it?
GEN. ALEXANDER: Well, I think that's where the court puts restrictions on how we use it. So what the court said is, OK we agree with the findings from Justice; they've gone through this and they looked at it. But they said, here's some restrictions. One, you can't just go through the data and do all of the stuff that everybody believes we're doing, you can only look at the data when you have a phone number, a number reasonable – (audio break) – suspicion that it's associated with al-Qaida or terrorist groups. And then and only then can you look into that. And you can't do it for drugs. You can't do it for other problems that you come up with, only
for that case, because that's the way the court designed this and the way that Justice worked it.
So from my perspective, it's to address this problem. And I think when you look at it and you look at the safeguards that go into it and you think about the numbers – think about – picture elements in a thousand different large-screen, high-definition TVs, find the right picture element, it would be impossible to do without some programming.
MR. WILLIAMS: Let me ask one other question about how legally to think about this. What if the police said, you know, we have a problem. There are people who are selling drugs in this neighborhood in Aspen. And so what we want everybody to do is just – we're going to go door to door and have you empty your pockets, and then we'll put that in a big box and if there's ever a drug investigation, then we'll look in the box. But trust us, we won't look until we need
it.
Why shouldn't we think of the phone program as like that?
GEN. ALEXANDER: Well, for one, there's the 1979 Supreme Court case that looked at metadata. And I know you guys discussed that, and I know Raj (sp) discussed that earlier, so I won't go through all of that, but there is –
MR. WILLIAMS: And that's the case that said there's no reasonable expectation of privacy in the records you – (inaudible) –
GEN. ALEXANDER: Exactly right – and it also means that it doesn't then go into the unreasonable search area. What they've done is to make sure that what you're doing is correct, is limited, how you look at the data and when you can look at it. And that's where the reasonable list comes in.
So from my perspective, let's look at it this way: You know, from us, from America, from our perspective, how could we better stop terrorist attacks? What more could we do to keep this country safe? We all lost friends and other citizens in 9/11. We made an agreement that that wouldn't happen again. And what we're doing on this, less than 300 selectors in a year, I think, is reasonable and proportional to what we need to do to defend this country.
And with the oversight that we get from the courts, Congress and the administration, I don't think we could ask for anything better. I think everybody who's looked at this has said, yeah, when you look at it, it's the right thing. So I do think, from my perspective, this is the nest approach.
Now, if somebody comes up with a better idea, we want to hear it, because reality is, the job is to tip the FBI to catch bad guys; stop terrorist attacks. That's the mission here – and help our allies.
MR. WILLIAMS: Let's move onto cyber and the – I just have a couple of questions, and then we'll invite questions from folks in the audience.
We've heard a little bit earlier today from Ash Carter about the fact that you all are ready to start deploying cyber teams to be able to carry missions out. Can you tell a little more about that? And what are these – what are these teams supposed to do? Are they merely defensive, or will some be offensive that can – that can stage cyberattacks?
GEN. ALEXANDER: It's both, both offense and defense, and we are biased towards defending our networks in the nation first. That's our first mission. And so the teams that we're standing up first are ones that would defend this country and defend our networks. And I think Ash Carter talked about that briefly.
Let me give you some insights. Look at what happened to Saudi Aramco in August of 2012. Over – the data on over 30,000 systems was destroyed, and then in RasGas in Qatar, in South Korea in March, in beginning June. These are destructive attacks, and we've had hundreds of attacks against Wall Street, distributed denial of service attacks. It's getting worse; they're impacting our nation's financial sectors, going after for energy and stealing intellectual property.
We have to work together as a nation to solve this. We absolutely have to do that. Our job, U.S. Cyber Command's job and NSA's job, is to work together to provide the capabilities to defend this country, to defend the DOD networks and work with DHS, FBI and others in the defense of this nation.
And I think actually, we're doing pretty good on it. We are standing up teams, we're training them and certifying them all to a standard. I think just as you would want us to do, they're going through that training, they'll be certified. We'll know that what they're doing, they're trained to the right standards to do this. A huge step forward. It's going to take time, the service chiefs – I know Mark Welsh was here yesterday – are bending over backwards to help push units into this. They realize that there's a couple areas that this country has its risks, terrorism, cyber, but we've got to be prepared for those. And so we're doing a lot in that area, and I think standing up these teams – the work is going good. We've stood up several teams.
MR. WILLIAMS: How many?
GEN. ALEXANDER: Several.
MR. WILLIAMS: OK. (Laughter.) More than three?
GEN. ALEXANDER: Yes.
MR. WILLIAMS: (Laughs.) OK. Do you – are the rules of engagement clear for the offensive teams, when the – when we shoot first?
GEN. ALEXANDER: Well, so the shooting first is a policy decision; what we do is training. And just like any other military outfit, we train these folks to do what they need to do to defend our country. And you know, for defending yourselves, it's not just catch bullets – I'm just thinking out loud – if somebody's throwing a missile at you, you're going to say, OK, I got to catch this one, I wish I could shoot it down. You might want a capability to shoot it down. And in cyberspace, you're going to want the same capabilities to stop somebody from taking down Wall Street.
We're going to need capabilities to do that. You would expect us to have those capabilities, but the decision to employ those is a policy decision. Our job is to set those up. And what we'll be capable of doing and authorized to do is to defend within our networks, and to raise the issue to the secretary of defense and the president and say, here's the issue that we see; over to you for a policy-level decision.
MR. WILLIAMS: All right, let's take some questions. There's somebody roaming among you –
GEN. ALEXANDER: Could I hit one other thing?
MR. WILLIAMS: Yes, please.
GEN. ALEXANDER: I just want to hit one other thing, cyber legislation, if I could.
MR. WILLIAMS: Yeah.
GEN. ALEXANDER: We do need cyber legislation; why? We can't see Wall Street as an example.
MR. WILLIAMS: What does that mean, you can't see it?
GEN. ALEXANDER: Well, from Aspen, it's a long ways away. (Laughter.) No, actually. (Chuckles.) In cyber –
MR. WILLIAMS: On a clear day, you can see Wall Street –
GEN. ALEXANDER: (Chuckles.) That's right. A clear day, but you got to stand up on that mountain.
In cyberspace, we can't see somebody attacking Wall Street from Wall Street's perspective. So if somebody were to employ a destructive attack, somebody's got to tell us, call us, we're standing by the phones, you got to tell us that. But how do you work that? Companies can't share some of that data with the government; we need legislation to work with the government, between FBI, DHS, NSA and Cyber Command, we need them to be able to tell us – we need to tell them what the bad guys look like. Think of this as cars on the highway: If you see a red car on the highway carrying explosives, please stop it, tell us where you saw it coming from. If it's overseas, NSA, Cyber Command will work it. If it's in the United States, DHS, FBI will work it. But we have to have legislation to get us working together.
And if we do that, we've got to figure out how to set the right liability protections. I don't know what those are; I know folks are working that from the White House and in Congress; we'll get that, right? But that's what we (need ?).
MR. WILLIAMS: Why do they need liability protection? Protection from what?
GEN. ALEXANDER: Well – for a couple of things. If we tell them it's the red car and the way we stop the red car also stop red-striped cars by mistake because the government makes a mistake, then the government should be accountable for that.
MR. WILLIAMS: OK, questions, right here, yes sir. Wait until a person – or there's – well, yes, right, as I said –
Q: Clark Bell with the McCormick Foundation.
Were you surprised at the extent of the backlash post-Snowden?
GEN. ALEXANDER: I was, partially because I felt that the way the information was put out there didn't set the right framework for it. So the way it first came out is NSA is in all the systems, got on all the servers and getting all this and listening to all your phone calls. You now know that's not true. It's absolutely not true. But that's how it started out. So what we did is we raced to the wrong conclusion and started this debate. If we're going to have a debate, let's have it with the facts.
I do think this is a good thing to do. There is risk in having a debate on a national security issue. The adversary will learn what we're trying to do. So there are some things that we can't share, and I think the American people have to understand that the executive branch, the courts and Congress, your elected representatives, are going to do the right thing here. And from my perspective, on our intel committees and across the board, they are doing the right things.
So yes, I was.
MR. WILLIAMS: Right there, yes sir.
Q: General, I'm Bob O'Harrow at the Washington Post. I'm interested in the fact that earlier today Deputy Secretary Carter said that – called it a major mistake to put such large pools of information together while giving access to that information inside the NSA to a far wider variety of people than may have happened a generation ago. That's what I guess some people call the insider threat or the insider cyberthreat. You addressed that briefly earlier, but how big is that threat, both inside the government and in corporate America, and what – can you give us a little more detail about your efforts to fix it? And finally, why is that threat still in place after Buckshot Yankee and the WikiLeaks earlier?
GEN. ALEXANDER: Well, so each one's slightly different, starting at your last question first. This leaker was a system administrator who was trusted with moving information to actually make sure the right information was on the SharePoint servers that NSA Hawaii needed, a huge break in trust and confidence. So there's issues that we've got to fix there
I think the second part of that is what do system administrators need access to, and how do we limit that? What do our analysts need access to, and how do we limit that? And I know John (sp) – is John (sp) one of the premier guys from another agency with great analytic experience knows that if you don't give the analysts the right information, you know, that's – so we've got to figure out how to balance this.
I am a tremendous advocate for the Joint Information Environment. I know Dr. Carter perhaps didn't get the time to talk about that, but that's where we need to get to. And the reason is then all the data sets could be encrypted differently, and those who have a need for that data set can get access to the data set, not only the data sets they have – they need access to.
Now, after 9/11 we had this need to share. I think there's goodness in sharing. We've got to make sure that we do it right. I think we've got to stop people from being able to download information, including system administrators, why we'll go to the two-person rule and why we'll lock down the server rooms.
Those are the key things that we will do to address this. But as you may know, system administrators need (removal media ?) to do their job. That just makes our job twice as hard now.
MR. WILLIAMS: Question from the gentleman from ZDF here.
Q: (Off mic.)
MR. WILLIAMS: Wait till you get the microphone here, or speak extremely loudly, one or the other.
Q: Stephen Berry (sp), the University of Chicago. Could you say something about the current manpower situation for the capability to maintain cybersecurity? This is certainly an issue that we face right now.
GEN. ALEXANDER: So there is a tremendous set of issues on manpower. So one of the reasons Secretary Gates made the decision to put Cyber Command at NSA is to leverage the technical capabilities that NSA has, all those mathematicians, computer scientists, the real technical people who work on the networks every day. We need to leverage those, and to create with the military the force structure we need to support combatant commands, to defend this nation and defend the DOD networks. And if we put those two together and came up with a training program – think of this just like you do at the University of Chicago – what you're doing is you're bringing in folks to train, and you're using the great staff that you have there, like Dr. Grossman and others, to train these people.
And from our perspective, we want to do both just as well. And I think that's a great step forward. So we don't need everybody to be at a master's degree level to operate in this space. We can train some of them. And you know, some of the young folks we have coming into the military are absolutely superb. And we can train those. But we do need people up here who have a Ph.D. in mathematics, a Ph.D. in computer science. So NSA can do parts of it. Cyber Command can do parts of it.
Now, this is going to be a challenge to keep those folks. That's going to be a real issue. And so we've got to look at how do we incentivize soldiers, sailors, airmen and Marines. And we're looking at that because I do think that's very important. And I'll come back on the people of NSA at the end. I just got to make sure I do that.
Thank you.
MR. WILLIAMS: Well, let me ask you right now: What sort of impact has all of these – have these leaks and the public debate had on morale?
GEN. ALEXANDER: Well, it's impacted it for a couple reasons. You know, the great question from the Washington Post: We're a great technical agency. To have this happen to our agency is just flat wrong. You know, we have great people.
And you know, I was – you know, I'm glad that both Carter Ham and Bill McRaven are here because two of the folks that we had the honor and privilege of supporting in Iraq and Afghanistan are here. We take supporting our folks abroad and defending this country to heart. Our people look at that as a privilege and honor to serve this country. They serve in silence. We have great support with the FBI, CIA, the rest of DOD. And we operate as a great team.
And you know, when I look at that, we've had 20 cryptologists killed in Afghanistan and Iraq since we started those. These are folks who gave their life to ensure that our troops would come back. They are the ones that help defend this country. They are the true heroes in this. Make no mistake about it: These are great people who we're slamming and tarnishing, and it's wrong. And it ought to stop. And you ought to help us get that word out. They're the heroes, not this leaker and others. What they're doing – (applause) – and I'll tell you, I couldn't be more proud to work with those folks. It's an honor and privilege every day.
MR. WILLIAMS: Question right over here. There, right there. You got the microphone. Oh, you brought our own. How nice. (Laughter.)
Q: Actually, I just got it. Thanks, Pete. Emmett Evanson (sp) with ZDF German TV. Thank you, General, for sharing your thoughts with us. You mentioned Germany, of course. How big of a surprise was it for you that German politicians and German authorities claimed so much surprise about the extent of the programs? Didn't they know all along? And while I'm at it, I also have a second question. Why are you focusing so much on gathering data also from Brazil, since there's not too much terrorism going on in Brazil as far as I know?
GEN. ALEXANDER: So two questions. First, every nation acts in its own self-interest, Germany, France, the United States, Brazil. We all have intelligence agencies, and I'm sure they're doing something. (Laughter, applause.) Inquiring minds want to know. (Laughter.) You have – you have great intelligence agencies and great people there. It's an honor and privilege to work with them and to stop terrorist attacks and for what they've done in Afghanistan – absolutely superb. But we don't tell them everything we do, nor how we do it. Now they know. And they know that our programs that we do go through a court process that's probably more rigorous than anybody's in the world.
And Brazil – you know, the reality is we're not collecting all the emails on the people in Brazil nor listening to their phone numbers. Why would we do that? What somebody took was a program that looks at metadata around the world that you would use to find terrorist activities that might transit and leaped to the conclusion that, aha, metadata – they must be listening to everybody's phone; they must be reading everybody's email. Our job is foreign intelligence.
I'll tell you, 99.9 and I don't know how many 9's go out of all that, whether it's in German or Brazil, is of no interest to a foreign intelligence agency. What is of interest is a terrorist hopping through or doing something like that. So ours has to be based on a foreign intelligence requirement. What has been grossly misstated is that we're reading everything.
So what I would ask you to do – just look at the numbers of people in Brazil, 201 million, and – I Googled that today – (laughter) – just want you to know – 80-some million in German. Think about the amount of email and phone number data that it would take – and I was talking to one of European partners, whose name we won't use. And their comment is if we wanted to do that, half the country would have to be listening to the other half. (Laughter.) And it's not possible, and it doesn't make sense. And if you think about it, think about what you need to do to actually find the right people to go after. And there's enough bad guys to keep all our intelligence agencies busy.
And so I think what we need to do is get the facts out. By alarming people and saying, they're reading all your email; they're listening to all your phone calls – you know, it's wrong. It's absurd. And so that's where I think the newspaper people in here could do a quick study, think about how hard that would be, and step back and say, does that make sense? And the answer would be, no.
MR. WILLIAMS: Questions over here? Josh?
Q: Hi, General. Josh Gerstein with Politico. You know, all these programs involve
some kind of trade-off. I think you'd acknowledge that, say, with the phone call database there's some intrusion, that perhaps there's some intrusion of people's privacy to collect all their phone numbers. So we have to judge whether that intrusion makes sense.
My question is, why can't you guys come up with a better example of where the phone call tracking database program has been useful? You mentioned the San Diego case, Mualin or something to that effect, which, as I understand it, is – he was a – someone involved with al- Shabab, bad news organization, most Americans would agree. But it seems a pretty far cry from a domestic terrorist event that people would be acutely concerned about. And then when pressed further, you revert to the 702 program and Zazi in New York, which everyone would be greatly concerned about, but I don't understand the connection between that and collecting everybody's phone numbers. So can you explain a little bit with the dozen cases you mentioned, why we didn't have a better example?
GEN. ALEXANDER: So the Zazi case, there's two parts to it. And thanks, because I do want people to understand this. The Basaaly Mualin was done all on business record FISA, all based on the metadata program, all tipped from that. So that's one. But to really understand the value – it's not that these are going to have – or stop that. These are going to present capabilities and insights for FBI to put together the puzzle to help them understand what's going on. And the Zazi case is actually a case where you're starting to bring in multiple pieces of information to solve a terrorist – a real terrorist threat. The first piece that comes in is from FAA 702 and says, this guy's planning something, heads up, and everybody goes on alert. The business record FISA says, this guy's talking to a guy in New York City who is – has contacts with two other terrorist organizations, one and two – (inaudible). So what you've done is you've used the FAA 702 to point to the guy in Colorado and the business record FISA to say, here's – I shouldn't – (off mic, laughter). (Laughs.) Here's how the network works.
And so you see how both of those comes. But Customs and Border Patrol added some information in, and FBI agents added some information in, and what we're trying to do is give the agents enough information to stop the attack. And from my perspective, just that case alone, these paid for themselves – these paid for it. I think, when you look at the types – and the times that we've looked at that data, just the times and the numbers that we're looking at, it's reasonable and proportional. And I turn it around and say, OK, so, given that that's the best way we could come up with it in the debate, the question is, is there a better way to do it? Now, one of those is could we push the data to the providers? That's an option. Could we have more oversight? You know, we have 12 to 1 already. Maybe 14 to 1.
But the reality is everybody who's looking at this doesn't say what we're doing is wrong. What they're doing is they're saying it's right. And then everybody who says it's right, what they get is, well, you're just rubber stamping it; find another guy. So we add 14 in. You guys all say it's right. OK, what about you? You're rubber-stamping it. You say it's right? You're rubber-stamping.
So what we're going to do is everybody that says it's right is rubber-stamping. And so my comment is we've got to step back and defend the nation and protect civil liberties and privacy. And, you know, it can't be, well, let's just stop doing it, because we already know that doesn't work. We've got to have some program like this.
And what I'm really asking for, Josh, is for you and others, help us put those facts on the table. Let's have a discussion based on fact, not sensationalize and inflame the debate to such a point that everybody is racing over and then finds out, oop, that's not true. And we have another terrorist attack because we stopped doing something that we needed. We can't do that.
MR. WILLIAMS: Let's take two more. Bart?
Q: I'm Bart Gellman. I like very much the idea of making this debate about the facts, and I want to talk a little bit more about the oversight and see if I understand you correctly.
I understand and stipulate that you collect examples internally of, for example, inadvertent collection on Americans, and you report those to Congress and the courts. But you have – in 702 you have a program that's authorized once a year, and the procedures are authorized, but you're not saying that the judges or Congress are examining any of the 45,000 selectors that you're using in that, or what was the – what was the basis of the "reasonable, articulable" suspicion or, you know, whether you used the right – you made the right decision, adequately supported, to retain or not retain the communications? I mean, they don't go into that, right?
GEN. ALEXANDER: They don't necessarily go into it, but our overseers do go into portions of that. Our general counsel, our IG, they do look at that to make sure that what we're doing is right.
And what we do have to do is we look at this and, for example, let's say you make a mistake and there's somebody in the FATA who we thought was a bad guy. He turns out to be U.S. person. That's a violation. We have to report that: We made a mistake. We thought "Abu X" was a bad guy. We made an assumption. All the indicators were there, a bad guy. Here's how we came to that. We tell the court, we tell the administration, we tell Justice, we tell the IGs. We tell everybody in that chain, and then we say, here's what we're going to do. And the court would normally say, OK, you have to expunge or purge that data.
And so we have a very good rule for working our way through this. And I think, from my perspective, it's done exceptionally well. And you're right; we do make mistakes, and we self-report those mistakes. And, you know, one of the things that – when the president first came on board we had a huge set of mistakes that we were working through in 2009. And his comments – I can – he said, essentially, I can see the value of these, but how do we ensure that we get these within compliance and we do everything exactly right?
So we stood up our Directorate of Compliance. And what they do is they systematically do what you're talking about. They go through and make sure that they way we've written these and the way that we're doing this is done exactly right. And we have a tremendous number of training programs that we send our people through so that when they look at this data they know exactly what they're doing. There are several courses, mandatory courses, that everybody who touches this data has to go through. And they have to pass a test on those. It's not just go through the course, flick through it and then say, OK done. They have to pass a test and then they can use the data again. But they have to go through it just like that.
So from my perspective I think that's a great way to do it. Look at it this way: I think that's one of the best ways of providing oversight and compliance and a lawful intercept capability of any country in the world. Now, I'm not familiar with all the other countries in the world, but you have greater insights.
So, you know, as you look at those, is there a better way to do it? Could we protect civil liberties and privacy better and defend this nation better? That's what I think we need to do. And you have some great insights on that, so we ought to put those on the table.
MR. WILLIAMS: Thank you all for your questions. General Alexander, thank you. (Applause.)
END