In one of his final Capitol Hill appearances, Gen. Keith Alexander, the National Security Agency’s director, called Thursday for a stronger strategy to deter cyberattacks, saying the line that would prompt a U.S. response against an adversary “does not yet exist.”
Alexander, who retires next month after nearly 40 years in the Army and almost nine at the helm of the NSA, said his greatest concern was a terrorist attack against the United States or Europe.
He also addressed the ongoing controversy over NSA surveillance, saying he was open to some proposed reforms. One of the most controversial disclosures involved the NSA’s telephone metadata collection, which gathers information on billions of U.S phone calls from several domestic phone companies so that the agency can sift it for clues to terrorist plots. President Obama, while asserting that he believes the program is useful and legal, has called for ending it in its current form to help restore trust in the agency.
One option that Alexander called feasible involves sharing what amounts to a watch list of suspected terrorists’ phone numbers with phone companies. The companies would search for links to other numbers, returning that data to the government.
He said if the government could work out a system in which it could share those “terrorist selectors” in a classified manner, “it sets the case in precedent” for sharing classified threat data with industry for cybersecurity purposes.
Alexander alluded to incidents that have disrupted the Web sites of U.S. banks and destroyed data in a Saudi oil company’s computer network and wondered aloud how the United States should respond to a major cyberattack.
“The question is,” he said, “when do we act? That’s a policy decision. . . . What we don’t want to do is let it get to the point where we find out, ‘Okay, that was unacceptable,’ and we didn’t set the standard.”
Alexander, who is also head of the U.S. Cyber Command, said deciding what is an “act of war” in cyberspace is a political or policy decision that is based on an attack’s impact. “I would submit that if it destroys government or other networks to a point that it impacts our ability to operate, you’ve crossed that line,” he said.
In any future military conflict, cyber-capabilities are likely to be integrated into a broader set of military options and not seen as a stand-alone weapon. They could be used, he said, in “phase zero” operations — for instance, to gain access to an adversary’s computer systems that control radar or communications, positioning the attacker to blind the radar or disrupt a command signal.
Asked what a major cyberattack on the county would look like, he repeated familiar scenarios — that it could shut down power in the Northeast or close the New York Stock Exchange, with a potential toll of trillions of dollars and thousands of lives.
He agreed with several committee members who said they felt the prospect of an attack warranted the need for legislation to enable the sharing of cyberthreat data between industry and the government.
“And when it comes to bipartisanship, I would allow Sen. [Sheldon] Whitehouse to write the bill,” quipped Sen. Lindsey O. Graham, (R-S.C.), in a nod to his Democratic colleague from Rhode Island and an advocate for cyber-legislation.
Alexander, a career intelligence officer, said his greatest concern for the United States and Europe is a terrorist attack “that galvanizes some of these Islamic fundamentalists into a true fighting force.” He said he believed that “we don’t have the proper footing, especially with our European allies, to stop that.”
The NSA has helped thwart terrorist attacks in Europe, he said, but some of its capabilities to do so have been diminished as a result of leaks beginning last June by former NSA contractor Edward Snowden.
“So our ability to stop [terrorist attacks] has gone down just when they’re growing,” he said. “Look at Syria, Iraq, all of that. And I am concerned, over the next 12 months, something . . . bad will happen.”
He said he was worried that terrorists “are learning how we stop them and they’re going to get through.” The real issue, he said, is that “we’re giving away a capability, which means there’s one less tool, or that tool is . . . minimized in its capability for stopping terrorist attacks and understanding what they’re up to.”