Former NSA Chief Assess U.S. Vulnerability To Cyberattacks
NOEL KING, HOST:
Who hacked the Colonial Pipeline and caused panic buying of gasoline? Yesterday, President Biden said he doesn't believe the Russian government was involved.
(SOUNDBITE OF ARCHIVED RECORDING)
PRESIDENT JOE BIDEN: But we do have strong reason to believe that the criminals who did the attack are living in Russia. That's where it came from.
KING: Now, in a separate incident yesterday, hackers released thousands of records from the D.C. Metropolitan Police Department after a ransomware attack. With me now is General Keith Alexander. He was director of the National Security Agency, and he's currently the chair of Iron Net Cyber Security. Good morning, General.
KEITH ALEXANDER: Good morning. How are you doing?
KING: I'm doing very well. Thanks for being here. Back when you led the NSA and Cyber Command, you talked about our country's readiness for cyberattacks on infrastructure. At the time, you rated it a 3 out of 10. Where would you put it now?
ALEXANDER: Well, I think we have a long ways to go. I'd still rate us at a four or five.
ALEXANDER: I think the executive order does a lot to cover the gap that we have in protecting this nation because, right now, every company defends itself, and the government can't see attacks on those companies. So I really like the part where the executive order says we're going to work the public and private sector together. We have to do that to defend this country. We have to work together, create, if you will, a radar picture where we can see attacks on companies. We can't today. You see what happened with SolarWinds, what happened with the Microsoft hack and what just happened with the Colonial Pipeline hack. We couldn't see that. The government could not see it, and they can't defend us. So we have to work together. We have to share information. I think the executive order hits that right up front. And I think that's the most important thing - work together.
KING: Does the executive order mean that companies need to be more transparent? And does that tell us that companies have resisted being transparent for some reason?
ALEXANDER: Well, my experience working with the commercial sector, especially the energy sector, is they want to share information with the government. It is difficult to share information with the government back and forth because there are so many rules and things that the government has. Sharing actual information on anomalies vice the content of communications gets people nervous. But we can share threat-related information without any personally identifiable information, without the content of communications, without company names, and still protect this nation. So we can do both. We've got to prove that to people. But I think that's the important part, how we share that information on threat that shows us what's happening. It's like sharing the air traffic control picture. You don't need to know who's inside the plane. We just need to know if the plane is good or bad.
KING: So within this executive order are a couple of interesting things. It says any cybersecurity software that is sold to the federal government has to meet certain standards. It also sets up a review board to look at hacks. This is what you're talking about with respect to airplane crashes. Would this order, in your mind, would it would it have prevented something like the Colonial Pipeline attack or would it just help us figure out who did it?
ALEXANDER: Well, I think if fully implemented, if we actually do the public-private sharing and we team together and practice that, it would prevent it. And that's really - you're on the key point. We need to prevent the attacks, you know, up front. You want to prevent the SolarWinds, the Microsoft and this Colonial. And you can do that by sharing information between the public and private sector. You don't want to be an incident response all the time because all the bad things happen. So up front, share information and they have that at the very beginning of the executive order. So I think that's the key part. And it also means sharing what our supply chains are doing and getting them to work together with companies so we can see the width and breadth of what adversaries are trying to do. So from my perspective, a collective defense approach is the key to the future of cybersecurity. That's what I needed when I was running NSA and Cyber Command. And I think that's what they need today.
KING: Let me ask you lastly, one of the big challenges here is that hackers tend to operate in other countries. Let's say this was someone in Russia. What do you do about that? We can't prosecute them here.
ALEXANDER: Well, I think the president hit on that yesterday - that, you know, these guys likely sit in Russia. They have to be held accountable. If you want to stop it, we can't just block all the time. We need to hold them accountable and make them pay a price. And I think this is where Russia can say, are you in this or not? Help us get...
KING: Yeah. Yeah. So it comes down to accountability. General Keith Alexander - sorry to cut you off - former director of the NSA, thank you.
ALEXANDER: Thank you.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.