As the only person to ever head both the US National Security Agency and the US Central Intelligence Agency, ret’d Air Force General Michael V. Hayden has a lot of experience in seeing around corners. He’s now a global security consultant, helping companies and governments to protect themselves against cyber threats and other dangers. Last week, Hayden, also a director of Motorola Solutions and a distinguished visiting professor at the George Mason University School of Public Policy, said in a rare extended interview that Chinese telecommunications giant Huawei Technologies shared sensitive US information with the Beijing government. In a brief aside, he added that he’s undecided as to whether corporations should be allowed to go on the cyber-offensive, even in the absence of government intervention and protection.
Quartz talked to Hayden about the threats private companies face and whether they’re well-positioned to address those threats for themselves, and for humanity.
What cyber threats do you find most concerning?
You’ve got three levels of threats; the shorthand is steal, disrupt and destroy. You’ve also got three levels of actors. You’ve got nation states, you’ve got criminal elements and then you’ve got that mass out there; activists, nihilists, anarchists, Anonymous, Lulzsec and so on. And blessedly the order I gave them to you—states, criminals the rest – is pretty much a ranking of their capability. And what we’re seeing is that all the boats in the harbor are going up, and so capabilities we now associate with criminal gangs or mid-range nation states will over time become available to this third group.
As tough as attribution is, nation states still have to believe that they are responsible for their actions. There can be sanctions and retaliations. Criminal groups, they’re after the money, and they’re in kind of a symbiotic relationship with their targets and even in nature, the parasite would be unwise to kill the host. But the third group, they have sometimes unreasonable, unmeetable, undefinable demands. In one, three or five years, you’ve got a group out there that’s opposed to capitalism, let’s say. And if they start to get some of these advanced capabilities, the very destructive attack for ideological purposes is going to be more possible and more likely. So my line to folks is, this is going to get worse before it gets better.
What’s the most pressing issue right now in cyber security?
Governments will do a little bit more [to help]. But I actually think this is one case, among many, where government is not the answer. The private sector is stepping up to do things in the cyber domain that we generally have allowed governments to have monopolies of in the physical domain. The most recent development is the creation of private sector cyber threat intelligence organizations. And I don’t mean ‘intelligence like,’ I mean ‘intelligence,’ with port scanning, web crawling, having foreign national employees assume personae in foreign chat rooms and now selling their product not just to the private sector but to governments. I think that’s a very good thing.
Once you do threat intelligence in these other domains, governments then work to reduce the threat. Rather than you being back there as an international entity, trying to defend yourself from all abstract threats using all abstract tools, going after all abstract targets in your network, [these firms] can actually provide you with intelligence that says the most likely attack against you will be from these people, for these purposes, with these tools, which then allows you to get a higher return on investment in terms of how you defend yourself, both actively and passively. But that’s different than teeing up counter-battery fire, you know? And that’s where we are. That’s the debate. Should the private sector be allowed some limited counter-battery fire?
Should companies be able to go on the cyber-offensive?
I’m not yet convinced that the private sector reducing the threat, i.e. disabling the threat, is a good idea. But it’s certainly an idea that’s circulating out there. There are some merits to it because the government is late in meeting the need in this domain. And so much advantage goes to the offense that playing strictly defense, you’re always disadvantaged.
But I’m not quite prepared to say, so, let’s go ahead and let these guys launch some rounds downrange, because it could be undisciplined, it could impact other sectors, it could generate counter-battery fire against people not involved in the original skirmish, it could have unpredicted and unpredictable collateral damage. It could turn the digital domain into a digital free-fire zone. So I’m not quite prepared to endorse it. But the amazing thing is that there are a lot of people talking about it now. Go to [former NSA general counsel]Stewart Baker’s blog and he lays out a pretty interesting case for it.
What else can companies do to protect themselves?
Number one, get good intelligence because you can’t do this abstractly. You’ve got to focus on the most likely threat, the most likely target and the most likely tools. Otherwise you can spend money forever and not know that you’re any safer. It gives you a greater return on investment. The second thing, build up your defenses, reduce your vulnerabilities as much as possible. But the good bad guys are getting in. And therefore, presume breach, presume penetration and begin to plan and program to operate while under attack, to operate while penetrated. And here the magic word is less pure defense and more in the character of resiliency. Recover, respond and wrap your most precious data more tightly than other things on your network.
Why hasn’t government done more, in the US and elsewhere?
We have not yet decided, by broad consensus, what it is we want the government to do here, or what it is we will let the government do here. It is not a question of technology, it’s a question of privacy and civil liberties and the appropriate role of government in a domain in which we’ve got, what, 25 years of experience?
Is it legal for companies to fight back in cyberspace?
Here I’m quoting Stewart [Baker] again; Stewart tries to remind you of the last black and white cowboy movie you saw where the bank got robbed, the sheriff and his deputy got all the able-bodied men of the town and had them raise their right hand and said we’re going to get our money back. In other words, normal people from the private sector were authorized for a limited period of time with certain tools under certain supervision for a limited purpose to act like a government. And Stewart asks the question, hmmm, I wonder if that’s possible.
And by the way, when I get people hyperventilating about this in an audience, I say look, before you just casually dismiss it, look at Article One of the Constitution. And when the United States government was too weak to defend America in another domain, that one the maritime domain, the Constitution actually gives the Congress the right to issue letters of marque and reprisal. Yeah, privateers! So we do have an example in our history in another domain, which was global and new and ungoverned, that at times in our history, Congress has authorized private people to go out and raid somebody else’s commerce. I’m not recommending it, I’m saying you can’t just dismiss it as inherently crazy. You have to argue against it with good points.
What can companies do to hackers who have breached their systems?
I’m international corporation X headquartered out by Dulles [International Airport]. And somebody has penetrated my network and is living on it. Is that implied consent that I can treat him just like I treat the people who are authorized to be on my network? Has he, by penetrating my network, now put himself somewhat under my authority? That’s a pretty good question [whether they’re subject to being fired upon]. I’m prepared to say I would like to see that question answered.
What are other solutions for companies to thwart hackers?
I think the secret sauce here might end up being insurance. Before someone insures my house they want to inspect it. They know how to ask questions like what kind of shingles do I have on my roof and do I have an alarm system or not. And so rather than having the government imposing standards, what you have are companies who are out there buying insurance, understanding that their insurance will cost less if they adhere to certain standards. I’ve got insurance; comprehensive, collision, uninsured driver and personal injury. All for my car. What does that look like for cyber? It could be, I want insurance for my loss of business if my network goes down. Or, I want insurance for my loss of intellectual property. Or I want insurance against the class action lawsuit I’m going to suffer when I lose personal identifiable information. There are a lot of different lanes here. It’s very immature. But I think that’s where we’re going to end up.
This is an area that’s very intellectually appealing. I mean, I wear seat belts. My car is inspected. There’s Driver’s Ed, you know. And all those things have come out not just through government regulation. [Cyber]insurance companies would need to have teams saying. ‘These guys are at level B or at level C minus,’ that kind of thing. Not inspectors. Validators? Certifiers!