Bloomberg Television’s Trish Regan interviewed NSA Director Keith Alexander today at Bloomberg Government’s “Cybersecurity: Costs and Solutions” conference in Washington D.C. In response to a Washington Post report that claimed the agency has secretly tapped into main communication links that connect data centers internationally, Director Alexander said, NSA infiltration of servers “never happened,” The director went on to call the report “spurious,” and insisted that the NSA does “not have access to Google (GOOG) servers, Yahoo (YHOO) servers,” and that ‘‘those companies work with us, they are compelled to work with us.”
Director Alexander also said, the “NSA does collect information on terrorists and our national intelligence priorities, but we are not authorized to go into a U.S. company’s servers and take data”
TRISH REGAN, BLOOMBERG NEWS: Thank you, General, for being here today. On behalf of everyone at Bloomberg and at Symantec and everyone in this room, we thank you for being here. There’s a lot to talk about. Cybersecurity front and center on everyone’s mind. In fact, yesterday the president met with the CEOs of Symantec, Bank of America, Visa, a number of companies to discuss cybersecurity weakness that’s facing corporate America right now. What do you consider the financial system’s greatest online vulnerabilities right now?
KEITH ALEXANDER, DIRECTOR, NSA: I think there’s a couple. The one that we see right now used most against the financial industries is distributed denial of service attacks, or those attacks where they push a lot of information into networks to prevent others from communicating. That’s a nuisance that can easily get to a severe problem if the networks were to collapse. That’s the first part.
The second that we all face is vulnerabilities in much of our infrastructure, software vulnerabilities that allows those with bad intentions to get into the network, and once you’re in the network to do things. If you think about what happened to Saudi Aramco, someone got into their networks and brought what we call a pay load or a piece of destructive malware or a series of destructive malware that went into parts of their network and destroyed the data on that network.
My concern is some kind of attack that uses both distributed denial of service and a destructive pay load. If you wiped out the data in some of our financial sector at the closing portion of the day, think of what that would mean for our banks and for our financial industry. Because much of our financial worth is done on the networks, as is the global community. That’s a problem and something that we have to address. It’s not just the financial communities. This is a government industry problem.
REGAN: Do you think then that financial institutions ought to actually perhaps receive a rating – they do right now – based on their credit worthiness that’s attached to their ability to fight off any kind of cyber attack? Does there need to be some accountability in the financial system to make sure that we’re not vulnerable?
ALEXANDER: I know a lot of people talk about this. My personal thoughts are the financial industry actually does a real good job of protecting their networks given what they – what they can do. I think the issue that we really see is there are things that the government knows that is classified. How do we share that with industry so that they are protected? It goes beyond that which they can protect. I think that’s a greater – a greater problem. Now that doesn’t mean that they shouldn’t have a certain standard. So I think we ought to figure out how to set that certain standard up, and then how do we create the relationships so government and industry can work together to share to get them to where they really need to be.
So what I’m saying specifically is hackers and criminal stuff, banks, Wall Street, they take – they do a pretty good job about addressing that. When we get into nation states and others that want to do us harm, that goes beyond the capacity of those financial networks. So any framework that we set up has to take those two aspects into account. Does that make sense?
REGAN: Yeah. Let me get to something that’s been in the news as of late. Germany’s chancellor Angela Merkel is accusing the US of spying on her via her cell phone. And the president is considering asking your agency to suspend its monitoring of allied leaders. Are we eavesdropping on (inaudible)?
ALEXANDER: There’s a great article by the French 24 paper. Tony Todd I think did it 24 (inaudible) some of you would google (inaudible) devices that you can use to google, google that. Scorsini (ph) made a comment that all the nations over there are spying on everybody. So let’s start with a statement by a foreign intelligence service that says everyone’s doing that.
I think the most important thing, without directly talking about what we do or will not do in the future, is to say Ms. Scorsini’s comments are right. The real question is what should we do in the future.
REGAN: Are they right? Is that a yes? Is everybody (inaudible)?
ALEXANDER: That was a question. What was your answer? I would not say that Scorsini’s a liar. I think Scorsini’s a great person. So I’m not going to accuse her of that. So – but let me just take one step further. Partnerships I think are very important here, and it goes both ways. I think what Scorsini has put out there is accurate. Countries act in their best interest. Countries and their intelligence services receive requirements to go after what’s in their nation’s interest. So from our perspective, I think the question that’s really on the table is which is the greater national interest. And that’s a policy decision and one that I think our policymakers are looking at.
REGAN: How is it in our national interest to eavesdrop on allies?
ALEXANDER: Well that’s part of the national intelligence priorities framework. And there was a series of great statements by Director Jim Clapper at testimony yesterday. So I won’t review all that because I know he does that far better than I would. He walked through that whole framework. And that’s public, so you can grab that (inaudible).
REGAN: But one of the things he did is he suggested that in fact this happens and that Chancellor Merkel likely knew that this was happening. So is she making something out of nothing in your opinion? Is she creating a media – or playing the media expressing all this outrage?
ALEXANDER: I don’t know. Being politically transparent, I don’t know what she knows and don’t know. I would tell you this. I think from my perspective where do we as nations need to go. And if the issue that’s on the table here is cybersecurity, I think that’s a very important issue. I think counter-terrorism and our partnerships, these are huge issues.
So what should we do on that? I think we should sit down. Because let’s assume that Scorsini’s right. Everybody’s spying on everybody. So everybody sitting around one of these tables, every one of you is spying on everybody else. But the real question is what can hurt our country? We agree that it’s terrorism and cyber. So the question from a policy perspective, not mine but from a policy that we’re now asking is is there a better way to move forward. How would you answer that?
REGAN: Is there? I’ll ask you.
ALEXANDER: I asked you. You asked me. I think there is. I think the partnerships in some cases are more important, but we have to define it and it has to be both ways. We cannot be naive to say, well, it’s just us or it’s just them. If everybody’s doing it to everybody on that table, what you – spying on everybody. That’s what I meant. That was close. What you need to do is to say so, look, there’s two threats that can hurt us, cyber and CT. I think we absolutely need to (inaudible).
I think what the president’s review group is doing and what the policymakers are doing are addressing that. You now know where I sit, not next to you but on this issue. And that is – I’ll slow down for the rest of you. I think this partnership with Europe is absolutely important, but it’s got to be done with everybody coming to the table. And as you – as you suggested, let’s put off all the sensationalism and stuff and say is there a better way for our countries to partner.
I spent six and a half years in Germany. I have great partners in France and Germany and throughout the rest of Europe. My answer to that, I believe there is. I think it’s something that we have to do in a deliberate process, and we need to sit down with them. Because of our country, we need to solve that terrorism and cyber issue.
REGAN: But have all these allegations that have come forward from Edward Snowden in fact hurt that process, hurt those partnerships, causing more problems on the international relation front or more problems with you and your agency trying to coordinate with overseas intelligence agencies?
ALEXANDER: Yes. (Inaudible) a multi-part question and I answered yes. You’ve got to figure out which part (ph). It does hurt, and on a couple of issues here. It’s like saying at the table, now only one of you can be accused of it but all of you are doing it. So what it is and how do you fix that? And the answer from my perspective, you saw in the press yesterday that not all this stuff is accurate. It is not accurate. The perception that NSA is collecting 70 million phone calls on France or Spain or Italy is factually incorrect. That’s not our collecting. What would we do with that?
REGAN: (Inaudible) actually Europe collecting data on Europeans.
ALEXANDER: No. This is actually countries working together in support of military operations collecting what they need to do to protect our forces in areas where we act together as nations and in our counter-terrorism efforts. It has nothing to do with collection on Europe, period.
REGAN: Multiple countries then.
ALEXANDER: Multiple countries. I think (inaudible) multiple countries (inaudible) figure that out.
REGAN: So given there’s information that – that you’ve pointed out is false that’s being reported in the media and that you needed to come out and correct, how does the NSA stay ahead and in control of the story so that the right facts are actually out there when there’s so much secrecy around the program?
ALEXANDER: That’s a great question because you’re hitting at the heart. We’re an intelligence agency. And here’s the way we act (ph). So I’m going to come back and push hard at this because you as Bloomberg News will have greater insights than I do on how to do this. But here’s the issue for our country. So NSA is really good about finding terrorists. Look at all the things that we’ve done to protect this country and our allies. Fifty-four different events, 41 terrorist-related plots. Thirteen of those material support for terrorism. We do a great job of protecting us and our allies in Europe. How do we do that?
Well, think about the work we do in Iraq and Afghanistan and around the world. We have great insights to terrorists. But if a terrorist is calling into the United States, how do you know if that’s a bad number or a good number? And so what NSA’s job would be is to help you understand that it’s a bad person calling and give that to the FBI. We don’t want to collect and we don’t collect the content of US person’s emails or phones, but that’s hyped out in the press and everybody says they must do this with everything. Think about it. We don’t have enough people to do that. Why would we do it? There’s no intelligence value.
Here’s the fact though. For the good of this nation, we’re holding this hornet’s nest, okay, call it the business record FISA, so that we can defend this country. I would love to give this hornet’s nest to someone else and say, you get stuck by this but don’t drop it because that’s our country. And if we do drop it, the chance that a terrorist attack (inaudible) increases. And that would be wrong.
So NSA, I, Chris and the other leaders of NSA said we’ll take the beating because it’s right for this country to know that we’re going to protect. We don’t do a good job of explaining it. We really don’t. And we don’t get out in front of the press for one reason. We don’t want to make a mistake. If we make a mistake, there’s a chance a terrorist act would get through and people die, and that’s because we were stupid in public. And we don’t want to do that.
So now coming back to your question, so how do you do that? How do we work with the press? I’m thinking is there a press place around here and people in the press that could help us? You might know one. That was a joke. I’m sorry. She’s writing down, do we know anybody? Nope. Can’t think of anybody. So – so the answer is how do we do that.
Here’s – here’s the reality. Think about this. You now know that that’s false. And many people knew that the facts of this collection in Europe was false, but look at how long that story was up here, and the fact that it was false and put out by the White House a week ago didn’t get any traction. Why? Traction is selling newspapers on false stuff rather than putting the facts out.
REGAN: General, we’re getting some news that’s crossing right now being reported in The Washington Post that there are new Snowden allegations that say the NSA broke into Yahoo and Google’s databases worldwide, that they infiltrated these databases. This is just crossing as I speak. Can you confirm or deny that?
ALEXANDER: Not to my knowledge. That’s never happened. In fact, there was this allegation last June that NSA was tapping into the servers of Yahoo or Google or our industry reps. That is factually incorrect. The servers and everything that we do with those, those companies work with us. They are compelled to work with us. This isn’t something the courts just said, would you please work with them and just show (ph) data over it? It is compelled.
And these are specific requirements that come from a court order. This is not NSA breaking into any databases. It would be illegal for us to do that. And so I don’t know what the report is, but I can tell you factually we do not have access to Google servers, Yahoo servers. We go through a court order. We issue that court order to them through the FBI. And it’s not millions. It’s thousands of those that are done, and it’s almost all against terrorism and other things like that. It has nothing to do with US persons.
If we want to get the content of a US person’s email or phone number – now here’s a key. Most of the incidents that we have are finding out that a person in a foreign government is a dual US person. That’s a violation for us, or if it’s a terrorist but it’s also a US person, that’s a violation for us. We have to expunge all that communication and go get a court order and work through the attorney general.
So I don’t know all these allegations, but here’s the hard part. So let me ask you this. So when you get something like that that people throw out that’s spurious, how do you fix that? Any insights?
REGAN: How do you?
ALEXANDER: No, I asked you. You’re the (inaudible).
REGAN: You’re the expert. You’re the expert. So are you saying in this particular – and again, we don’t have all the details, but Edward Snowden saying that the NSA has infiltrated Yahoo and Google databases. Would one assume then that if in fact the NSA was looking at data that these companies had, they did so via a court order?
ALEXANDER: That’s correct. And so the question is I don’t know what his allegation is. NSA does collect information on terrorists and on our national intelligence priorities, but we are not authorized to go into a US company’s servers and take data. We’d have to go through a court process for doing that.
REGAN: So let me ask you, in light of all of these allegations, has the prism —
ALEXANDER: Can I add one thing (inaudible)? Because if you think about it, these same companies that we issue court orders to, other countries around the world do the same thing to them. Many of them in their lawful intercept programs. They go to one of these service providers and say, do you have any information? It’s the same process that we use.
And so this is not something that our government does different than others. From my perspective, the one thing our country does that goes far beyond is that we have a framework – a legal framework that says here’s how you’re going to do it as an intel agency. If you were to compare that with all the intelligence agencies around the world, you’d see few that have a court process for doing it with the oversight that we have. So that might be something to look at.
REGAN: Well this is one of the things that has shocked so many Americans, I think this – learning that the NSA and some of these technology companies were working in cooperation with each other via court orders. Has it – have you been affected at all? Has your agency seen less cooperation from the Facebooks and Googles of the world as a result of Snowden’s information?
ALEXANDER: There are issues that those companies have. And part of this, to be fair to those companies, they are compelled by court order before and today. It is not an option for them. They would be in contempt of course if they don’t comply. And I think the issue is the way it’s put out is as if they’re just throwing data to us. They are not. From my perspective, what they’re doing is they provide us, just like they do other countries who ask for data. Those countries that come forward with a correct warrant get what they’re (ph) in their own countries. So we do the same thing.
I think this is one of the areas that is grossly misunderstood and needs to be fixed. From where I sit, our companies are doing the right thing. They comply with the court order. And yes, they know at times – many times they help stopping a terrorist event.
REGAN: A lot of Americans worry that it’s too easy to get a court order. Is it?
ALEXANDER: No. There was – and there’s some great articles by some of the judges on this Judge Walton did recently. So you can look that up. The facts are – I know what everybody says, but you go look at the facts. In this area here, it’s harder than it is in a Title III warrant, a criminal case. So think about that. This was mentioned yesterday by the deputy attorney general in the hearing. And they said we are doing – making this harder for us to go after terrorist information than we do some of our own criminals. Does that make sense? That’s the way we’ve set up this framework.
And that’s to ensure you that we’re doing our part right. And so I believe if we could lay everything out, here becomes the issue. If we were to have all the terrorists in the room please leave for a minute, we could put this data out and get everybody everything that we know. The issue is not only are you listening, but they’re listening to. And they learn from this. We have seen them make changes. What this means is that the probability of successful terrorist attack has increased. That’s the irreversible substantial damage to this nation. That’s what causes us great concern.
REGAN: Still not everyone agrees. I’ll cite Representative Sensenbrenner, who’s introducing legislation to end bulk collection of data such as what we’re talking about here. And he’s actually the very congressman who wrote the section of the Patriot Act that has been used to justify the NSA’s broad surveillance activities. Even he’s saying that it’s been misinterpreted. Do you think that the NSA’s program really stands on strong legal footing?
ALEXANDER: Well, it stands on strong legal footing. The issue is what will the policymakers in Congress authorize in the future? That’s a decision that they have to make. My job is to explain the gap, the threat and the risks. Their job is to legislate knowing those gaps (inaudible) we will follow the rules and the laws and the policies as given to us. But you and the rest of the people need to know that there’s a gap. We want you to know.
See, in 9/11, part in 9/11 and after 9/11, the intelligence community was beat up for failing to connect the dots. What that means is we know stuff about what’s going on overseas. FBI knows stuff here in the States. How do you connect the dots? That’s where this metadata comes together. There is no information on US persons (inaudible) date time group and a duration of the call. Your name’s not in them. My name’s not in them.
What that allows us to do is understand is there a terrorism nexus to this call chain. If not, nothing happens. If there is, we pass that to the FBI. They go through the correct procedures. If you don’t have that – so my question to everybody is I am looking for – and there are some technology people here. If you have a better way of doing it, we should do it. I am all for a better way.
REGAN: Well if the representative’s bill in fact becomes law, how would that affect your ability to do your job?
ALEXANDER: Well, it means we stop that part and it means there’s a gap. We’ll do the best we can. But the ability to see what’s inside and going on and us to provide that is – doesn’t exist there. We’d have to come up with a workaround, and those are very hard. We haven’t been able to come up with one. So that puts – do you remember the Midar (ph) San Diego 9/11? So Midar was in San Diego but we didn’t have a database that would allow us to see that he was actually in San Diego and part of the – of that call chain. He was one of the people on American Airlines flight ‘77 that crashed into the Pentagon. So how do we fix that?
So I think the question is there’s a risk. This will be a congressional debate. We’ll follow whatever it is. My job is to articulate those risks, Congress to legislate and the executive branch to weigh in. And this is where it needs to be transparent to the American people. Why – why have – why do we do it that way? That’s the way our process works. We’ll follow it.
REGAN: The process isn’t easy lately between the shutdown, the dysfunction in Washington. Is that affecting you?
ALEXANDER: Well, it affects everybody. But I think there are good people working hard trying to make this country work. And we have some significant problems with our debt and other things. And how you solve that, that’s a big issue. That goes outside my area of expertise. Bloomberg’s got (inaudible).
REGAN: Let me – let me ask you about something that – that people are very curious about right now, and that’s the question of how does this all happen. In other words, if you’re collecting data on world leaders, how much does the president know? When does he know it? President Obama said he did not know that the NSA was eavesdropping on Merkel and other world leaders. Who’s actually deciding here who we should target?
ALEXANDER: So the national intelligence priority framework actually is the one that sets all that up. And again, I defer to the discussion that Jim Clapper put out yesterday because I thought that was an excellent overview of how that whole process works. So I’d just urge you to go to that.
REGAN: Does the president receive daily briefings?
ALEXANDER: He’d talk to that (ph). So I don’t actually – I’m not in all those briefings and I can’t tell. I can tell you this. When I look at the president and others, these are people trying to do the right thing for this country on both sides of the aisle. I don’t see anybody acting. I don’t see anybody lying. I think they’re just trying to do the right thing. This is a tough area.
And the question is so – I think the real question that we face is how do we work with our allies. That’s the real issue. From our agency, from NSA, Chris Inglis and I, we’re the deputy, deputy director. We’re responsible. We’re the ones who run that organization. Here’s what we’ve told our people. Look, we’re holding the hornet’s nest. This is what the nation needs us to do. You guys defend the country and protect our civil liberties and privacy. We’ll take the heat. Now we didn’t realize it would get that hot.
REGAN: What do you anticipate in terms of further revelations from Edward Snowden? Here we were just moments ago and there was another report. We can probably assume that there are going to be many more over the coming weeks. What are you most concerned about there?
ALEXANDER: I’m concerned that we give information out that impacts our ability to stop terrorist attacks. That’s what most of these programs are aimed to do. I think everything that we’ve done, we’ve put out there – I believe if you look at this and you go back through everything, none of this shows that NSA is doing something illegal or that it’s not been asked to do. And in all those cases, so it’s legal, it’s necessary, and it’s authorized in every case. If people say well I didn’t – in the press or the American people say, well I didn’t realize A, B and C, Congress, the courts, the executive branch all briefed on all those things. So from my perspective —
REGAN: So are you saying that they were briefed on (inaudible) for world leaders?
ALEXANDER: No. I’m saying the business record FISA, FAA 702 and all this. What I’m talking about there is on these programs, we all came together as a country. And this is – I think from my perspective, that’s on the table. Some of that was done with the foreign intelligence surveillance court for a reason, a classified court. Because as we mentioned, if we bring it out to everybody in the room, then the terrorists will know how (inaudible). That’s not in our nation’s interest.
So from where I sit, I’m concerned that we will do things that continue to impact our nation’s security. That’s the key. And what that means is the chance of a terrorist act getting through has increased. And that’s wrong.
REGAN: You think a chance of a terror attack because of these –
REGAN: – leaks from Snowden is higher now?
ALEXANDER: I do, absolutely. Because terrorist groups are changing the way they operate. It makes our finding them and tracking them more difficult. And the people who will pay are innocent people here in our country and overseas. That’s wrong. It needs to stop.
REGAN: You’ll be retiring from your position this spring. The timing of that, was that in any way linked to the Snowden revelation?
ALEXANDER: No. No. In fact, that’s been going on for many years. I would – I came in in 2005 on a three-year job. Being unable to count, and actually not being able to get the – no. I got extended in 2009, then 2009 to 2010 to 2013. I was asked in 2012 to extend to 2014, and we agreed that would be the last one back before Snowden. And so this is something that’s been in the works. I’ll have almost 40 years in the service and a little – almost nine years at NSA. And there’s great people coming up behind us who will do a great job.
REGAN: What is their biggest challenge going to be, the biggest challenge for your successor?
ALEXANDER: The biggest challenge? Hopefully we’ll have addressed the issues that we’re currently facing and move forward with our partners, industries and allies. And so there’s will be building that new future, how we do that for the good of our nation and our allies. And we need to move beyond the media leaks. My job is to help us do that.
REGAN: Before I let you go, if you could just tell us, what do you tell Americans who are worried that the NSA is reading their emails or listening to their cell phones or seeing who they text? What do you tell the average person out there?
ALEXANDER: So that’s not true. We’re not doing that. And if we – and for one, and it would be the FBI that would go under a court order. So you need a court order to get the content of a communications, whether it’s email or phone. And for NSA, our job is foreign intelligence. So the fact that people say we’re listening to phone calls or reading emails, I see all the cartoons out there. But the reality is it’s factually incorrect. That’s not our mission. Our mission is to know what’s going on outside the country and tell you about the threats that are coming into it.
And so that’s where the business record FISA and all this comes in. And all that dealing that we have with these companies under FAA 702 is not about people here. It’s one end point (ph). It’s on the other guy out there and that their comms (ph) are stored here. So when you think about that, this is where the press can really help inform the American people on these facts. I think this is very critical for our future. If we stop doing some of this, we’re going to create a gap.
Now at some point I’ll get to set down this hornet’s nest. Somebody else will pick it up. If no one picks it up, we got a problem. It doesn’t mean that we don’t have a problem today, that there aren’t people trying to get through. It’s clear. Just this month, over 2,300 people were killed in five countries by terrorist-related attacks. Look up the statistics. In 2012, over 15,000 in a CNN report in 8,500 terrorist-related attacks.
Why hasn’t that happened here? Why have we been so successful? It’s not by accident. It’s because you have great people in the military and the intelligence community doing everything they can with law enforcement to protect this country. But they need tools to do it. If we take away the tools, we increase the risk. And we ought to go into that with our eyes wide open. And I (inaudible) already.
REGAN: General Alexander, thank you so much. Great to have you here.