0032_ETA_161019

Cyber Security in a Dangerous Time

Gen. Michael Hayden explains why protecting 
the domain is still so hard

One of the foremost experts in the United States on cyber security, Gen. Michael Hayden has more than 40 years of experience as a military leader. He’s a retired four-star general, and he served as the director of the Central Intelligence Agency and as the director of the National Security Agency (NSA) during a time of tumultuous world events.

At the 2016 ETA Strategic Leadership Forum in October, Hayden leveraged that experience into a frank discussion about the state of cyber crime, including the current political landscape, the global threat of terrorism, and how private-sector businesses will have a front-row seat in shaping the future of cyber security.

Who’s Doing What

In his work at the NSA, Hayden found himself trying to convey to savvy audiences the paradoxical and profound effect the advent of the internet and digital technology has had on society and on every aspect of human life. While it has empowered a world, it has also introduced unprecedented kinds of insecurities and risks.

“It’s the biggest deal we’ve experienced since the last great age of globalization,” he said. “It’s the biggest thing our species has experienced since the European discovery of the Western Hemisphere and the voyages—the discovery that brought the world together.”

The sea voyages drew together civilizations that were developing autonomously and created the greatest leap in human learning and advancement, along with epidemics, global slavery, and other threats to society, Hayden argued. Similarly, our current age of digital globalization has introduced both “nourishing” and “poisonous” effects on society—data theft among them.

“It is such a big deal that your armed forces, your Department of Defense (DoD), now describes cyber as a domain,” along with land, sea, air, and space. English translation? It’s a location that our military fights for and protects. “This is a bigger deal than even the best of us truly appreciate. It is a whole new domain where you and I are now existing, where our ancestors never existed before,” he said.

But the cyber domain is distinctively different than the other spaces because it is manmade. It started out as a DoD project with the goal of moving large amounts of data quickly and easily to a few known entities, including federal labs and top universities such as Stanford and MIT. Security concerns didn’t factor into the initial project’s work, Hayden explained. The original architectural principle—large amounts of data delivered to a limited number of known and trusted entities—remains the principle of today’s internet, which has a seemingly limitless number of entities, most of which are unknown and untrusted. That, he said, is the fundamental issue of cyber security, and it only grows more serious as more people become connected.

Five years ago, a “cyber attack” primarily consisted of someone stealing another’s information, be it a “PIN number, credit card number, negotiating position, intellectual property, embarrassing emails, whatever,” said Hayden. Now, security experts are seeing more dangerous and sophisticated activity, including data corruption, network denials, and physical destruction.

“The posterchild for [physical destruction] is something called Stuxnet, which was an attack on the Iranian nuclear facility at Natanz,” Hayden explained. “Someone, almost certainly a nation-state, used a weapon comprised of ones and zeros to destroy—during a time of peace—what another nation could only describe as ‘critical infrastructure.’”

Hayden categorized the perpetrators of these more sophisticated activities as nation-states, criminal gangs, and hacktivists—activists such as Anonymous and LulzSec. “I think the ones [payments professionals are] most focused on are criminal gangs,” he said. “You’re where the money is, so that’s where they go. But, I don’t think you’re immune from the others,” he said, adding that at one point Iran conducted a massive distributed denial-of-service attack against a series of American banks, including Bank of America, Wells Fargo, JP Morgan Chase, and others.

Fighting Back

After explaining the details behind a series of headline-making cyber attacks around the world, Hayden discussed the challenges of fighting cyber warfare. In the case of “weaponizing” the digital space, he entertained the notion that a less “modernized” infrastructure could be immune, citing the Dec. 23, 2015, Russian attack on the power grid in Crimea and the Ukraine.

“It could’ve been worse. Most of the Ukrainian grid is still analog, and only the portion that was digitized went down,” he said. “Not very comforting, speaking to the citizens of a nation [that has] an entirely digitized national grid, and who are right now creating a smart grid so that all parts of the grid can talk to one another… . Actually, it’s a great way to govern the grid. It just makes it very, very vulnerable.”

So what is the U.S. government doing to protect the cyber domain and its citizens? “Not as much as you would think,” Hayden said. And the reason is more about civil liberties and less about political dysfunction. As a nation, Americans have yet to decide how to balance their right to privacy with government protection.

“Let me put it another way: You, personally and corporately, are going to have to be more responsible for your safety [in cyber space] than you have been required to be responsible for your safety since the closing of the American Frontier in the 1880s,” he said.

Still, the government is taking some action, including imposing economic sanctions against countries doing wrong. The Department of Homeland Security also has statutory responsibility to defend critical infrastructure, Hayden pointed out. But unless the attacks are “so vile, so big, so important that the Department of Defense” has to respond, then the private sector is “on its own” to defend against attacks.

“The instinct of our government has been—in the cyber domain as in physical space—that the main body was the government… . We may have that wrong. It may actually be in the cyber domain, the main body for American defense is the private sector, not the government, and the government, then, should conform its movements to the movements of the main body, rather than the other way around.”

Need an example to his rationale? The lawsuit between Apple and the FBI last year, after the agency demanded Apple create a “backdoor” to its encryption code so that investigators could access the iPhone used by Syed Farook, who carried out the mass shooting in San Bernadino, California. Hayden, along with other prominent defense officials and security experts, sided with Apple because they believed that the good that could be gained was far outweighed by the security fallout that would have resulted from “punching a hole into the [encryption] system.”

With cyber domain still evolving, Hayden also pondered influencers, rules, and regulations, especially if we see government conforming to the movements of the private sector. How will laws be adjusted to accommodate the new realities and opportunities provided by technology? “When it comes to the 21st century definition of privacy and what constitutes a reasonable expectation of privacy, [Mark Zuckerberg] is going to have more influence over where we land than the Congress of the United States,” said Hayden. In essence, he expects political and commercial structures to adapt because the technology is so transformative to society that it cannot be denied.

Risk Management

To conclude his discussion, Hayden offered a modernized view of the classic risk equation for the cyber domain. Vulnerability reduction—passwords, firewalls, good systems hygiene, and so forth—if executed perfectly, prevents about 80 percent of hackers, he said. While still necessary, it alone isn’t enough. Current cyber security demands “presumption” of breach and response.

“The difference between an A and an F player in consequence management is the time between flash and bang, the time between penetration and discovery. And, frankly, for all of American industry—not yours, but for all of American industry—that time between flash and bang is routinely measured in months, which is really bad.”

While difficult, accepting that hackers are and will get into a network is critical, Hayden added. “You need to be able to fight your network. Protect your more precious data more tightly, be able to detect when you’re penetrated, be able to reject the penetration, but it’s more of an active combat scene rather than deep moat, high walls,” he said.

In the future, cyber threat intelligence will be at the core of cyber security efforts, according the Hayden. These private-sector companies that perform web crawling, port scanning, chat room monitoring, and more provide clients with actionable threat warnings. Cyber insurance also may help elevate the level of positive, proactive behaviors by American businesses, as well, because it rewards good network security with a more favorable rate. “Rather than have the government come into your offices with a whistle and a cap and a clipboard, and check [if] you’re complying with government regulations,” he argued, “this is a business model that actually would animate a lot of American industry to go for better cyber insurance.