There have been multiple calls to look at the security ecosystem as a living, breathing entity, with a “disease control” agency watching over any digital epidemics that may arise. Keith Alexander has a different idea.
Alexander wants to patrol the ecosystem the same way we patrol the skies. Air traffic controllers around the world watch over the world’s aviation movements, communicating about any issues that arrive in real time.
Alexander, and his company IronNet, want to mimic that approach for cybersecurity. It’s clear the greater community is buying into that idea as well — with the company recently raising a large round of venture capital. The former National Security Agency director spoke with us about where he sees the company headed, and how he has viewed the shift in cybersecurity policy over the last few years.
CyberScoop: Your company, IronNet, recently announced a big raise in capital. Tell me where you see the company going over the next 12 to 18 months?
Keith Alexander: I think the approach that we’ve taken is to focus on building a product that helps us evolve the way we do cybersecurity for companies, sectors and countries. The hard part is and will always be coming up with behavioral analytics that detect threats in a reliable manner and be used to help find anomalies.
That’s the core what we focused on over the last two years. The ability to share that information among companies, sectors and countries is the part that I think is exciting and goes beyond where we have been in the past.
It’s interesting because most people talk about sharing, but what they are sharing is what they know. The issue is that if we know about it, sharing it is a lot less interesting. When I talk about sharing, I’m talking about sharing in a way that’s similar integrated air defense system. Radars share information with air traffic controllers across the country seamlessly. Every radar pushes information into a computer system that allows all the air traffic controllers to track flights around the country.
Packets go much faster than aircraft. Our sharing mechanisms aren’t integrated like air traffic. So what we’re trying to do is up that game and that means sharing incidents and anomalies that our systems detect, even before we think its malicious. If you can share it very quickly and see things that are hitting multiple companies at a time before you even know they’re malicious, you can detect things that signature based-systems would miss. That’s what we’ve been working on for the past 18 months.
It differs from other companies in that we’re not using signatures as a basis for detecting anomalies, we’re using true behaviors. Now, we would partner with companies that do signatures and then observe those things that try to get by signature based systems. I think that is where cybersecurity is going in the future.
CS: So does this disrupt the ISAC and ISAO models that have been set up? Do you think that that there is a future in that model? It seems like this is a new way of sharing threat intel.
KA: I think all of the authorities are there, now it’s just building the infrastructure to actually do it. Think more like we’re building the “internet of sharing for cyber-events” across countries, for the express purpose of defending it. Protecting a nation-state in the future means we’ve now got to look at this cyber area as something of huge value for our country.
The relationship between critical infrastructure and other sectors in our nation has to grow within cybersecurity. What that also means is we’ve got to get the American people, Congress, the administration, everyone on board with information sharing. I think those laws already exist. I think you can do it without passing along personally identifiable information or the content of messages. Given what’s happened in the past and where we’re going now approaching that more transparently for whole country to understand what’s going on is a good step.
CS: Should companies be able to “hack back” on their own?
KA: I think companies should remain within their own network and have the full authority within their network to defend whatever they need. I don’t believe companies should hack back as somebody who’s hacking into them. That’s where our country has to come in, because you prevent liability issues and international issues by having companies attacked. If were on the board of any public company, I would say, “Don’t do that.” That’s where our nation needs to come in. That’s a growth area for the government, to look at how they do it and for international partnerships down the line.
CS: We talk so much about security by design and taking the human out of the equation. Do you think we are making progress there? What more could the cybersecurity community to take away the error-prone human part of the equation?
KA: I don’t think you are ever going to take the human entirely out, but you are correct in that having humans do things that machines are better at doing is almost illogical. So having a human sitting in the middle of a decision process where you’re taking milliseconds to come to a solution, but that you’re going to take minutes, hours or days to determine what to implement, is almost counterintuitive. What it really gets to, when you hint at artificial intelligence and machine learning, is we need to ensure that the defense has as good or better capabilities at defending then attackers have.
CS: With respect to how the U.S. is defending itself, there have been some changes in the process, most notably the rise of U.S. Cyber Command to a unified combatant command and the elimination of PPD-20. Are these decisions good for the future of how the military deals with threats?
KA: When we set up Cyber Command, we set it up at the NSA, because NSA had virtually all the assets Cyber Command was using, so it made sense to bring the NSA and Cyber Command together. The next step was to go to a unified command, perhaps along the lines of SOCOM. I think they’re evolving that way and I think that’s good.
One of the things that we highlighted at my time at NSA is you have to have rules of engagement that Cyber Command can employ for the good of the country. If you think about stopping a missile coming into the country, you have 30 minutes to make a decision. So there are certain rules of engagement that you want the head of NORTHCOM to have.
In cyber, the speed is somewhat faster. So you now want Cyber Command a certain sets of rules to defend the country, while Cyber Command’s leader lets [the secretary of Defense] and the White House know those events are ongoing. I think that is extremely important, and it’s one of the things that I personally think they’re going toward, and I think that’s absolutely right.
I also believe those rules of engagement should be classified for a whole host of reasons, and they should be exercised with critical infrastructure that is cleared to view them. But have those discussions now so that if something were to happen, we’d be ready for it.