MR. IGNATIUS: Welcome to Washington Post Live. I'm David Ignatius, a columnist for The Post. My guest today is General Keith Alexander, retired U.S. Army four-star general who was the director of the National Security Agency, our codebreaking agency under Presidents George W. Bush and Barack Obama. He was the first commander of U.S. Cyber Command. He's gone on since leaving the government to co-found and the co-CEO of a company called IronNet, which is in the business of trying to help companies be safer in this world of growing cyberattacks. We're going to discuss how to keep companies safe and General Alexander's ideas to this new company. Welcome to Washington Post Live, General Alexander. Thanks for joining us.

GEN. ALEXANDER: Well, thank you, David. It's an honor to be here once again and to talk with you.

MR. IGNATIUS: So let's begin with your company, IronNet, and your idea of collective defense. As I understand it, you would pool from the companies that are part of your system information about threats, anonymize them in some way, and then share them with the government. I want to ask how that would work; and second, what the government would then do with the threat information that you provided from your collective defense network.

GEN. ALEXANDER: So, David, that starts with how do you detect things that go beyond the current way we do detections in networks. Today, almost every company uses what we call signature-based detection. Those are rules that we understand the threat, we know what it looks like, and we block that. And we use that as a starting point.

The hard part is what happens when the threat actually gets through, using a vulnerability that we didn't understand, or somebody makes a mistake, they get phished, or any other option to get into supply chain, as we're seeing in the SolarWinds attack and other things. These attacks go on and are invisible to companies.

So we need to add to that signature-based system a behavior offset. And the nice part about adding in behavioral analytics is it starts to show you things that you don't see with signature based. And this gives us a great opportunity. First, we can hunt things in our network at speeds that we never thought possible before. But as you said, it also gives us a chance to take that information, those events, put them up into the cloud, correlate those with other companies that are out there, and begin to get a picture of what's going on in cyberspace.

Today, the big fall that I see and that I saw when I commanded U.S. Cyber Command--remember, we had the mission to defend the country. We couldn't see attacks on the country. The consequences: We're not doing defense. We're doing incident response. That's after the attack. If you want defense, we have to create a radar picture. That radar picture has to be as close to network speed as possible, has to show it across companies, sectors, states, and share it with the nation in such a way that both the Defense Department and Homeland Security can do their missions to help protect this nation in cyber. They've got to have a radar picture that they can see and respond to.

And it goes a step further. We don't have enough people in cyber. We never will. This is growing so fast. We have so many people trying to work it, but they're working on their company. You know, take 90 midsize companies with 10 security analysts each. They're doing the best they can to keep up, and down the road’s another company doing the best they can. Imagine if those 90 companies, 10 people each, work together. That's 900 people working collective defense for the good of all of them. And they can help other companies as well, by sharing knowledge, crowdsourcing, automated correlation, and then sharing that with the government. We can make cyber a secure space, and that's what we need to do.

MR. IGNATIUS: General Alexander, let me ask you to unpack that a little bit. It's fascinating but it's complicated. And I want to make sure our viewers understand clearly what you're suggesting. So in addition to the current signature analytics that look at the signatures of attacks, you're talking about a kind of behavioral analytics. And I'm not sure I understand just what that would be. Would it be AI that would see similar patterns? What would that analytical tool set look like?

GEN. ALEXANDER: So first, signature based is threats that we know. And as you think about the way a threat--like what hit the Defense Department in 2008, when the Russians attacked that, they use variants of software. The first variants of that malware that hit us, McAfee and Symantec would create a signature. That's a hash value; it's unique to that capability. We put that in our systems, and we block that. That's a good thing to do. That cuts the noise out of the system.

What about those things that you don't know? So when they change that, they get back into the system, we'd have to go find them, create a new signature and block it. So behaviors, looks at the behavior of what are they doing to get in. And those behaviors could be things like beaconing. You want to find all the beacons.

Now in doing that, you hit on a key point. If I gave you all the beacons in a network, your security analysts would think we're crazy. There's too many. So you need a behavioral set of analytics to detect certain types of behaviors--beaconing, command and control, lateral movement, and things like that. And you need an expert system with machine learning and AI to look at all of that information and say what are the ones that are important enough for us to look at and what are benign; take those off the table. Now let's look at those that are important. Have a machine look at that, and event and rate every one of those alerts and share them up in the cloud and see who else has ones just like that.

So for SolarWinds, what that would have done is it would have showed us the companies that were being hit with this in the government agencies at speed. We believe that had we done that properly, Kevin Mandia says if we had shared that, that would have happened in June of last year. So those behavioral analytics look at behaviors as a machine learning and AI to rate every one of those behaviors.

And then as you noted, we anonymize that information so it can be shared, both among companies and with the government. That's a huge step in cybersecurity. You know, if you think about it, we have this huge network. But every company defends itself. We use tools that are shared, but every security analyst is in essence operating as if they're an island unto themselves. And the adversary sees this as a great opportunity because all they have to do is find one entry point, one company that didn't do something right, one human that makes a mistake, and they're into the supply chain.

Think about SolarWinds. Somebody made a mistake. And so what happens is we don't see that because we're looking for something that we know. And the adversary is doing things that we didn't know. And this is, I think, the next jump in cybersecurity. We've got to go to behaviors. They're really hard. There's a lot of false positives, so you need machine learning and AI. But the real value is collective defense. This is where--



MR. IGANTIUS: General, so I'm imagining this just in a simple analogy as being like a neighborhood watch where everybody in the neighborhood is on the lookout. And then if people see patterns that are suspicious, they tell the police, and then the police do something about it. Assuming that's not a wildly off base analogy, my question is, what does the government do with this information once it gets it? Does it go on the offense? Does it go after the attackers? What happens?

GEN. ALEXANDER: So there's two sets of missions. From a DHS perspective, they want to make sure that our nation has secure critical infrastructure. So what Director Jen Easterly and her team would be doing is making sure that we have protections in place, helping those companies that are under attack, and doing what they can to ensure the security of that space.

The Defense Department has the mission to defend the country. And there's where the rules of engagement, which come from the president, the White House, the secretary, the General Nakasone saying, here's what you do in these cases.

And this is where we've got to really get good. You're hitting on a key point. We have to practice this. We have to practice how are we going to protect this nation. I can give you the information. If an adversary is attacking our energy sector to take down the grid, what do you want him to do about it? And we have to act fast, because recognize those things can happen almost at the speed of light.

So those rules of engagement have to be in place. They have to be practiced. Everybody has to be knowledgeable about what General Nakasone and Cyber Command are going to do, especially the president and the secretary of defense and Congress. And then we have to practice. And we have to work with our allies.

So you have the Defense Department who has the offensive mission to defend us--that's block things and stop those that are attacking us. You have FBI that has the law enforcement piece. Then you have DHS, who has responsibility to protect the country by setting the rules, the standards, and working with industry to help create that picture.

MR. IGNATIUS: So one obvious question, General Alexander, is what you'd say to people, following the Edward Snowden revelations, worry about private companies working so closely with the government. In these digital spaces where we all live, live our personal lives do our work, what would you say to people who raise that fundamental question, just uneasy about sharing data, even if it's supposedly anonymized? What's the answer to that?

GEN. ALEXANDER: So I think it's emphatically proving that what you're sharing is not the content of communications, company names, or IP addresses. And so we actually work with lawyers with each of the companies to show them what’s shared so they know, okay, what we're sharing is metadata. It's data about communications, data actually about packet behavior.

So when you think about it, we're talking about beaconing traffic, we're talking about things the adversary’s doing, and sharing threat-related data. We don't care about the communications, what people are doing. To be quite candid, it's really what's the threat doing to hurt this country, or to hurt that company.

So I think in this regard, companies already have some level of authority to look at what's going on in their network. We want to help them do their job. We don't want to look at the communications, but we want to help them see the behaviors of things that are going on, and share those that in a metadata form.

So in our product, all of the information that belongs to the company stays on the company premise or within their domain. So they control all that data. The events that are created are shared to the Dome, and they can see what's shared on those, and they get to elect to participate or not.

I believe this is so important for our country and our allies that we have to take these steps forward. You know, right now, if you think about what's happening to the supply chain, what's going on with the attacks just announced over the weekend here, and what we've seen with respect to attacks against Microsoft a couple of times and SolarWinds, it's getting worse. And I'm concerned that these steps are things our nation is not ready for. We have to prepare. We have to create the technology, we have to train on it, and then we have to train our nation.

And finally, I think you hit on a key point. We have to show people that what we're doing is appropriate for everyone. This is not an area where people want to look at your communications, want to invade anybody's privacy. They want to understand who's invading your privacy and stealing your intellectual property and your money. So it's just the opposite. We have also thought about a separate secure world. You set that up, and then you have two worlds. But I think eventually everybody will coalesce into this, what we just described.

MR. IGNATIUS: General, I'm curious about the reaction of the U.S. government, the agency you used to head, the NSA, government as a whole, we have some top rate people now the Biden ministration has brought in, many of them your former NSA colleagues. Chris Inglis is national cyber director, Anne Neuberger at the National Security Council, Jen Easterly at CISA, at DHS, I'm sure they've heard you make the presentation for this idea. What's their reaction? Do they want to take part?

GEN. ALEXANER: Well, the administration at large in the Solarium Commission preceding them actually talked about collective defense. So people are beginning to understand we've got to do that. They see that. I think the energy sector has actually led the way in this with folks like Southern Company, AGP, Berkshire Hathaway, and others. Their responsibility is to defend the grid. And they said we can't do it by ourselves. We need help, and we need to work together. I think that helped also push the Solarium Commission to say the same thing: collective defensive strategy is a strategy forward.

But you named three individuals who I think the world of, and add in the General Paul Nakasone--those four, I think our nation is fortunate to have people that are that good in these positions. You know, they are brilliant hardworking people going back into government service, at a tremendous pay cut, to do a job that will help defend this country. And each of them worked hard, when I was there, to ensure the defense of this nation and our allies. So I am extremely proud that they're in there doing this job for our country. And I think if we're ever going to do it, it's with the team that's in there right now.

MR. IGNATIUS: So let me ask a couple of practical questions that people in our audience who think about cybersecurity must worry about. The first question is, how safe is the cloud? For years, we've been told to move to the cloud, use cloud computing services. And it turns out in the SolarWinds hack that hit Microsoft but hit many companies that it was possible to penetrate the cloud. The cloud wasn't as secure as people had thought. So give me your assessment right now. Without your collective defense system being in place, how safe is the cloud?

GEN. ALEXANDER: Well, actually, I think for almost every company out there, small, midsize, the cloud is more secure than what they've probably had on their own [unclear]. I think the capability sort of going into the cloud--Amazon's AWS, Microsoft, Google--is actually really good. They've made some tremendous increases over the last decade in securing it with how they actually look at the cloud.

You bring out a key point. We actually have the cloud infrastructure, which is taking all these communications and allows us to do things that we could never do before. And that we have these on-prem capabilities. And so things like SolarWinds, starts on-prem, infects, and then uses other vehicles to spread that.

In this case, I think it's the issue of the on-prem and the lack of visibility that we have that impacts the cloud. So when you look at that, I believe the solution still remains with collective defense. And that includes the cloud. So when you have processes going in the cloud, and others have processes going to cloud, imagine if you could see that like a radar system, and then you could see what's hitting companies that have an on-prem portion of their network on-prem, and they are trying to secure both.

And right now, it's as if they're fighting this one lane. And over here, somebody is fighting the same lane, and they have no insight of what's going on in the other battle. They just know we both lost. And so we've got to make that visible.

And I believe, actually, the cloud is part of the solution for the future. More specifically, without the cloud, we couldn't do the collective defense that we're talking about, because you can't share the data. Securing it is the key across all of it. But it's also the key to making it visible so that you can now defend.

You know, it was interesting. When I ran Cyber Command--or prior to it in the Buckshot Yankee, the attack on the Defense Department--the one question I had for our defenders is, how did you see the attack? And the answer was, well, you know, it sounded like Johnny Depp. We really didn't have a way they got in at the beginning. So we had to go find it. There wasn't a picture of what happened.

And without that understanding, defending the network and securing it is almost impossible. So the cloud actually brings to us that capability to now do something and create this radar picture. So it's ironic that people say, I'm not sure about the security of the cloud. But the reality is the cloud is the part that changes the dynamic to help us secure cyberspace.

MR. IGNATIUS: Let me ask you about another practical threat that's in the news, and is on the minds of people who are responsible for cybersecurity, and that's ransomware attacks. I'm just curious today with your business, IronNet, and in your industry of cybersecurity, how you're trying to help companies avoid being the next Colonial Pipeline, which was hit by a ransomware attack, and whether you specifically had any cases where you've had a client that was facing this kind of attack, and if so, what you told them and how you tried to disrupt that attack.

GEN. ALEXANDER: So we've not had a client yet hit ransomware. So that's knock on wood. That's a good thing. But we've had our clients who's had some of their supply chain, or some of their legal offices, or some of their financial offices that are outside those companies hit with ransomware. And we have helped them at the request of our companies.

And there's a couple points. One, how did they get hit? The majority of it, somebody got phished. Somebody answered an email that they shouldn't or clicked on something they shouldn’t, and that got in.

But it went beyond that, because they had no visibility in the network with what was happening. They didn't see the beaconing. They didn't see this lateral movement. So beaconing means a piece of malware gets in and tells the adversary, I'm in here, here's where I'm at, and it sends back basic information to start the second phase of an attack. If you don't see that and you don't see this scanning that’s going on to find out where you are and what's going on, and other movement to move malware around. All that happens on the network to make ransomware work. If you don't see that, then the ransom takes place.

And in all those cases, the first step is how do you clean it up? And it's interesting, you see a division in those who say I'm going to pay--because I've got to--you know, think about Colonial Pipeline worried about the gas to the East Coast, how do we get fuel to those that need it? And then those who say I’ll go rebuild my network. I'll take the hit.

In both those cases, the irony is, what if we had worked together and protected that? And I like the idea that our government and our allies going after these ransomware attackers with what the FBI, what NSA, what DHS can do collectively with foreign countries, Interpol and others--let's go after them. Let's hold them accountable and make them pay a price. Right now, it's pretty free. This is a huge business. They're not gonna stop. So we're gonna have to go after them and make them stop.

MR. IGNATIUS: One of the interesting things you said recently is that you'd like to see this idea of collective defense, sharing of information, going after bad guys in cyberspace, shared internationally. You talked about that being something you could do with our AUKUS partners--Australia, U.K., U.S., which are now in a submarine pact. You've talked even about the Quad, which includes Japan, India, Australia, as well as the United States being a place where this kind of threat information could be secured. It almost sounded to me, General, as if you were talking about a broader public-private version of what you in the in the cybersecurity business called the Five Eyes partnership down the road. Am I reading that, right?

GEN. ALEXANDER: Yes, I think we do need to work with allies in this case, and for a whole host of reasons. They're under attack. Our European allies are hit constantly by ransomware. We see the attacks from Russia and China hitting them. In the Middle East, we see the same thing with Iran hitting the Gulf states with offensive destructive tools. And of course, you look at Japan, Australia, and others in the Asia-Pac area, all of them are being hit.

There's two benefits for doing this. One, I think it’s good diplomatically for our country to support our allies. And two, we get to see those attacks up front, where they're hitting first, where they're being tested.

And that can help us defend us better as well. I believe this is an element of national power. Now it's clear from what's going on. And as a consequence, we need with NATO and others to learn how to work together in this space to defend each other. I think that's a huge step forward for our nation.

MR. IGNATIUS: General, let me ask you a final question before we run out of time. I want to ask you what's the next cyber threat that keeps you up at night? What happens in a 5G world where every device is connected? What happens if people start hacking our elevators, which they could from what I know of the technology? What happens when we have hackers going after our driverless cars and trucks? How are we going to deal with that world? And if there's some other thing that you're worried about beyond what I mentioned, tell us.

GEN. ALEXANDER: Yeah, so 5G adds a couple of orders of magnitude and complexity to cyber, as you mentioned, because the number of devices that are going on the network is increasing by at least two orders of magnitude. That's huge. As you noted, it opens up the attack surface for adversaries significantly. So we have to look at that.

And I would put over here that our adversaries see cyber as an element of national power. If you want to hurt this country, what do you do? The first thing you do is you say, well, I'm going to hit them with a cyberattack.

Think of the Colonial Pipeline times 50. What does that do to our nation? And are we ready for it? My answer: We're not. We need to build that collective defense. And I am really worried with the rhetoric that we're seeing coming out of China, on Taiwan, on the South China Sea. When Xi Jinping says, bashing heads and bloodshed, that makes me worry. I am concerned with that.

And then the movement of troops, as you noted earlier, going down to eastern Ukraine, the border there. What happens if Putin takes a step? The Russians have used cyber in every engagement that we've seen since 2007, on Estonia and then in Georgia, and so on. They use that as an element of national power. And it's ironic that the folks they use are essentially those folks that are doing things like ransomware and other things. So you see that nexus of what's going on. And I believe this is going to be part of that battle space.

What I learned in the military is if you don't win that fight, you're into the next one. And so as a nation, we've got to stop it there. We have to be ready. And you know, when you think about our nation, we are so blessed with what we have today--you know, put all the politics aside. I know it's hard in Washington to do that, but put all the politics aside and think how blessed we are when you look at all the other countries. And then look at the great technology that we have. We are the most technologically advanced and dependent country in the world. We have the most to lose. And we have to get out in front and defend that, and we have to train on it. I think our future and our children's future depend on us doing that.

So I am confident that we can get there. I think we move way too slow. You know, let's do it today. Let's go fix this. But we have to get on with it.

MR. IGNATIUS: So, General Alexander, that's a perfect place to end our discussion. Absolutely fascinating tour of what's ahead, what's possible. Thank you for addressing the questions people have about privacy and their privacy worries. We really appreciate you joining us on Washington Post Live. Thank you.

GEN. ALEXANDER: Thank you, David, and an honor to be here.

MR. IGNATIUS: So we’ll be back with great Washington Post Live programming this week. Go to Take a look at our schedule of guests, register for the programs that interests you. Thank you so much for joining us today.

[End recorded session]