‘You’re the ones who are going to determine if we win or lose’

Former CIA & NSA director General Michael Hayden explains how the Internet has changed security—and why government can’t stop cyber crime.

Railroads changed time for America, from each town using its own solar clock, to national, standardized time zones, so trains could keep a schedule.

“We tell time based upon the need of the railroads to not allow every town in America to tell you when it’s noon,” said General Michael Hayden, former director of the Central Intelligence Agency and the National Security Agency, speaking at the S4x16 cybersecurity conference in Miami.

Like railroads, the Internet—and the people protecting it—will drive change again in this country, and perhaps around the world, he said.

“We (Americans) are going to be remembered for the Internet like the Romans are remembered for their roads,” he said. “This is an incredibly disruptive development for the human species.”

Crime online

This new world is hard to defend, said Hayden, and cyber criminals are doing damage.

“They’re stealing your stuff, they’re corrupting your stuff, they’re hurting your network, they’re creating physical destruction,” he explained in his presentation. Spies and thieves are working to pilfer your personal data, your plans to build a new, innovative product, and your government’s secrets.

He cited the attack on the Office of Personnel Management, where highly sensitive information for more than 20 million people was compromised, including, he believes, his own. U.S. government officials have said they suspected the Chinese government was involved in the hack.

“This is not ‘shame on China,’ this is ‘shame on us,’ Hayden said. “As director of a national security agency, if I would have had the ability to steal the Chinese equivalent of this type of data, I would have done it in a heartbeat. This is how nation-states treat one another.”

“You know we steal other people’s stuff in the cyber domain, right?” he asked. “As the former Director of the NSA, I’d like to think we’re number one. But we steal stuff to keep you free and safe.”

Hacktivist mercenaries

Hacktivists are not as righteous as they once were, Hayden said, and are lining up behind new causes.

“More and more, we’re seeing these guys in the service of the Iranian state,” he said, adding that he has also seen them serve the Syrian state. 

He said these kinds of countries may pose more risk for destructive cyber attacks.

“I’m more concerned about the isolated, renegade, nothing-to-lose, ah-what-the-hell, let’s-roll-the-dice nation-state,” he explained, naming Korea and Iran as examples.

Why so hard to defend?

Hayden said he asked one of the “fathers of the Internet,” Vint Cerf, why the Internet was so hard to defend.

“That really wasn’t in the statement of work,” he said Cerf responded.

The original assignment, according to Hayden, was to move data between two trusted nodes. Now, the Internet is made up of millions of nodes, some trustworthy, many not trustworthy at all.

“We didn’t know it was going to take off the way it did,” he said Cerf told him.

Laws to stop cyber crime

“How come the government’s not doing something about it?” Hayden said people ask. He worked in government for 40 years, serving as NSA director from 1999 to 2005, and as CIA director from 2006 to 2009.

Congress was able to pass a ‘modest’ cybersecurity bill in December, after years of work, he said.

But, Hayden asserted, the government will not be able to prevent cyber crime.

“The government will be permanently ‘late to need’ in providing cybersecurity. It has to do with the rapid advance of technology. It has to do with the overall sclerosis of our government. It has to do with our physical culture,” he said.

Private companies will have to defend against routine cyber attacks, and only 2% of attacks will get a national response, according to Hayden.

That leaves the private sector to do the leading in the cyber war.

“I actually think people in this picture will have more influence on the way we go forward than Congress,” he said. “The main body when it comes to cybersecurity, in all but a very small fraction of cases, the main body is the private sector.”

He told the people attending the cybersecurity conference that they are responsible for defending the Internet.

“You are the main body. You’re the ones who are going to determine if we win or lose.

Photo credit: The photo used for this article is credited to the Gerald R. Ford School. This is used under the Creative Commons license. No changes have been made to the photo.