General Michael V. Hayden on Cyber Security & Protecting the Nation

General Michael V. Hayden was director of the Central Intelligence Agency from 2006 to 2009. Prior, he served as the country’s first Principal Deputy Director of National Intelligence and was the highest-ranking intelligence officer in the armed forces. From 1999 to 2005 he was Director of the National Security Agency.

General Hayden discusses threats facing our nation, our businesses, and each other.

EAO: General Hayden, we really appreciate your time for this important discussion on national security, business security and personal security. Given what we all hear — relentlessly — about threats to our national security and personal safety, how do you see the landscape, what do you see as the greatest threats and what can we personally do to protect our businesses and ourselves?

EAO: General Hayden, we really appreciate your time for this important discussion on national security, business security and personal security. Given what we all hear — relentlessly — about threats to our national security and personal safety, how do you see the landscape, what do you see as the greatest threats and what can we personally do to protect our businesses and ourselves?

General Hayden: Ed, for the first time this past year when people in government, in the kind of jobs I used to have, testified in open session to both Congressional Intelligence committees, called the World Wide Threat Briefing all of them said cyber was the greatest threat. And I agree.

When I was NSA director and later head of the CIA, I was asked, “What are your priorities?” And, I would answer CT, CP, ROW, (Counter Terrorism, Counter Proliferation, Rest of the World), this Washington DC alphabet soup. But now, everyone is, very appropriately, focused on the cyber danger.

EAO: When you consider cyber danger, is that range from criminals for monetary gain to the vulnerability of the electrical grid?

General Hayden: Actually, all of the above, unfortunately. And the way I generally outline the taxonomy is: a series of cyber sins and a series of cyber sinners.

Let me give you a sense, first, of all the sins. Overwhelmingly — right now — the primary sin is people out there stealing your stuff. It is your pin number, it is your credit card number, if you are an industry it is your intellectual property, it is your trade secrets. If you are a state actor, it is going after another state’s secrets and so on. Fundamentally, the evil going on out there right now is just theft of thought, theft of intellectual property, in one form or another. But there is also another series of bad things happening out there.

And here you have bad actors, either instead of or in addition to stealing your stuff they want to disrupt your network, for whatever reason, they want to punish you. They want to take your network down, they want to manipulate your data, and they want to delay, destroy, degrade or deny you your information. So you have got theft, disruption, and then we, as a species, we have just got our toe or maybe a whole foot in the water to actually use cyber-weapons to create effects, not on the network but to create effects in physical space. In other words, to use a cyber-weapon to create physical destruction.

The best example of that is something called Stuxnet, which was almost certainly done by a nation state because it is just too hard to do from your garage. It caused 1,000 centrifuges at Natanz in Iran to self-destruct. So those are the sins.

EAO: There were news reports that were driven by the CIA, under your direction. Is that true?

General Hayden: Actually, the best answer to that question is that it would be irresponsible for somebody of my background to even speculate on that.

So we have theft, disruption and destruction. Now who does that? There are three layers. First layer, nation states, China, and you can lash China up to the threat. When in doubt, it is the Chinese coming after your intellectual property, alright.

EO: Now when they are coming after intellectual property, that applies probably as much to our nation or it applies to businesses?

General Hayden: Oh no, and that is the point. See here is the reality – what is the right word, the real conundrum here, the real difficulty, it is – you have a nation state actor, China, going after secrets. And they are not my secrets, me being the CIA. My secret is kind of okay; I can take on a nation state. The Chinese are not doing that, well they might be trying but they are not being successful. But the Chinese, a powerful nation state, are not attacking just the U.S. Government; they are going after U.S. enterprise. That is not a fair fight. That playing field is not level and you’ve now got the resources of a nation state coming after private American businesses.

EAO: So what’s the answer for American business then? Should they expect the American Government to protect them or do they have to go it alone?

General Hayden: They should expect the American Government to protect them but let me assure you it won’t.

This is a really fundamental issue of American political values. We, as a people, have not yet decided what it is we want the government to do or what it is we will let the government do to protect us in ­­the cyberworld.

EAO: Please expand on that.

General Hayden: I’ve headed up a couple of intelligent agencies and even in physical space there’s still some rough edges as to what it is we want the government to do…or what it is we’ll let the government do. In cyberspace there’s no precedent. We’ve got no rules.

I use this example. I’ve got a backpack and I carry my materials in…so I go to a speech and I get to this point in my speech and I say…you know if I walk out of here when we’re all done and I’ve got my backpack and I’m in front of the hotel waiting to be picked up to go to the airport and a local police car comes screeching to halt in front of me and the policeman jumps out and says hey, open that bag, I tell audiences I would probably respond with the two word monosyllabic English phrase, which probably translates to “I think not.”

EAO: Outstanding.

General Hayden: But if I had gotten in a car and gone on to the airport and gone through the TSA checkpoint the kid there says hey sir, open your bag, guess what? We all open our bag…my point being…although some of this sometimes gets contentious we’ve kind of figured it out. Government can’t do that. The government can do this.

We don’t have that in the cyber domain. So here’s the punch line, our government is late to need; it will be permanently late to need. The kinds of things we have a right to expect our government to do to protect us in physical space, it will not do in cyberspace.

EAO: That’s a pretty bleak assessment…

General Hayden: It is.

EAO: What’s the solution?

General Hayden: Step up private industry. You’re far more on your own here than maybe you should be or certainly you expect it to be. In this domain, individuals, institutions, enterprises are going to have to defend themselves far more than we think we have to defend ourselves against physical threat. Look you have a foreign power come up the Houston Ship channel with a submarine, I’m betting on the Navy. You’ve got a foreign power coming up the Houston Ship channel on that fiberoptic cable at the bottom of the channel, the Navy isn’t coming.

EAO: With your deep experience in intelligence agencies you now advise companies and corporations, specifically on these types of issues. What are the two or three things you can enumerate that have to be considered?

General Hayden: What I do is I generally put on a white board the traditional risk equation, folks like you and me with military experience, we know about this.

Risk is equal to the threat times your vulnerability to the threat, times the consequence of a successful attack. (R = T x V x C). And then I tell the audience…practically the entire history of cyber security has been in V. Now just think back to your own experience. All the things you know about in cyber security, firewall, patches, McAfee, Symantec, Shrink-wrap products…

EOA: Go on…

General Hayden: …you go ahead and load good passwords, cyber hygiene it’s all about V all right. It’s about reducing your vulnerability. The phrase experts use is –reduce your attack surfaces.

Well here’s the story. If you and I are perfect and I mean 1.0 perfect in V we will keep out of our system the lower 80% of those people who are attacking it. Guaranteed we don’t keep the higher 20% out, V is not sufficient. So the history of cyber defense has been in V. The present of cyber defense is in C, consequence or put more accurately consequence management and here the premise is we’re not betting the farm on the perimeter defense and preventing someone from coming in — they’re getting in.

I work with the Chertoff Group, occasionally, clients come in and say, “Hey you know…another industry, another company in our industry just got a phone call from the FBI, oh, really bad stuff and we want to engage you guys to see if we’ve been penetrated.” And Ed, the answer we give them is, you’ve been penetrated, let me give you an address so you can write us our check.

Seriously, current thought is you’re penetrated. Get over it. Survive while penetrated. Operate while under attack. Wrap your most precious data more tightly then your less precious data. Respond to the attack. Under V it’s prevention. Under C and this is where we are now it’s resiliency. All right. They’re in but it’s okay. I know they’re in, I’m boxing them off, I’m continuing to work. Right now a tremendous amount of private sector energy is in consequence management.

Now there’s one other factor T, threat. In the physical world you push T down by saying touch me, I’m going to hit you so hard your whole family is going to fall down…

It’s a little harder to do in cyberspace. So where the energy in T now in cyberspace, and this is quite remarkable, the energy is in threat intelligence, and I’m not talking about the government. I’m talking about private companies and it’s remarkable. This is cyber threat intelligence. It is not intelligence-light. It is intelligence. You’ve got private companies out there…web crawling, port scanning, having foreign national employees assume personae in Ukrainian chat rooms in order to find out what’s going on. So what happens if you engage one of these cyber threat intelligence companies they can actually tell you who’s most likely to come after you for what purposes and what tools they have generally been associated with, which then makes it…

EAO: Which makes it easier for you to do V and C…?

General Hayden: Right. Because you’re now not trying to defend yourself against all abstract threats for all abstract purposes. You’ve got some specifics here. It’s been an epiphany for me, I’ve been out of the government almost exactly five years. The amount of energy now in the private sector for cyber security is just amazing.

God Bless the American system. Here we have a reality where the government’s not going to show up and guess what? American business is stepping in.
EAO: Outstanding. Given that cyber threat, let’s spend a little time speaking about the top-of-mind, visible physical threat. You once said to me the wolf is always banging at the door…is he still?

General Hayden: Yep…and let me do it on two levels. Let’s talk about the terrorism threat in physical space and then the terrorists who are in cyberspace. The terrorist threat in physical space, frankly the reason we’ve been successful—if you ask me was it the TSA line, ah, it’s okay. Was it the 215 program, yeah, it’s not bad okay but fundamentally Ed, the reason we’ve been successful is we are one mean enemy.

EAO: Please expand on that thought.

General Hayden: Well, I don’t think the people who attacked us 12 years ago expected us to do what we did. We’ve come after them with a vengeance. There’s quite a bit of scholarly research that says when you really anger a democracy it really gets tough…and they angered this democracy. We have had a relentless campaign against the Al-Qaeda group responsible for 911. That’s what I call Al-Qaeda Prime, in Pakistan and Afghanistan. Two incredibly different presidents I might add.

EAO: So when President George W. Bush stood at the World Trade Center and said The World Will Hear Us…that was not only his…but a commitment the current President has also continued…

General Hayden: Yes. In fact the current President, despite all that rhetoric in the campaign in 2007, 2008, the current President has actually doubled down on a bunch of stuff. When you have two Presidents — so different — do this…it means it’s America, it’s not George Bush, it’s not Barack Obama…

EAO: Right.

General Hayden: There’s a wonderful quote in Der Spiegel, with this latest kerfuffle about American surveillance and so on. At the height of all this, there the German Magazine expressing great disappointment and dismay. They said something along the lines this was George Bush. And that they always thought that there was another America, a better America and now they knew there is only one America. Personally, I actually felt good about that.

EAO: Well it’s similar to when 9/11 occurred you know. We were in the city and I still remember standing outside and…watching the news board coming around Time Square, the news reader and we would be standing there with all sorts of different people, different races, ages, whatever and it was unity…

General Hayden: Yes. Now let me talk a little more about terrorism…and terrorists.

In cyber, there aren’t any, and I can’t explain it. There is no evidence of terrorist groups and we’re talking primarily Al-Qaeda here…

There’s no evidence of them attempting to use a cyber weapon to create the effects they want to create. I can’t explain it. They are not cyber stupid. They use the Web. They use the Web to recruit, to train, to raise money, to proselytize but so far they’ve not used the Web to try to create that disruption or destruction that we talked about.

EAO: Is it coming?

General Hayden: I don’t know. These guys are — I was going to say philosophically driven — but that’s not true, they’re theologically driven and there’s almost this compulsion to create what I would flippantly call physically pleasing destruction. I mean the Al-Qaeda game plan—the primordial instinct is a mass casualty attack against an iconic target.

The World Trade Center again and again. The Pentagon. Airliners and so on. They may just not find it theologically satisfying to shut down the eastern power grid…again, pure speculation.…but they haven’t done it…

Now keep in mind. These guys are planning this from a cave. This is not the most sophisticated enemy in the world.

EAO: That said, that’s a very good point because we tend to give them super human powers because of what they did achieve a few times.

In sum, what would you advise people like myself, our clients, our people who may be reading this interview, the average everyday American, what are you going to advise for him or her?

General Hayden: Let me focus on the cyber question because in a very real way that is the one threat that actually gets to you personally.

Now look, sooner or later, if the Iranians get a nuclear weapon, that’s a big deal. It’s going to affect you and me but it’s a bank shot and it’s going to take multiple caroms before it affects your life.

But the cyber thing, that’s that E-mail that you thought was from your daughter-in-law with the hyperlink that you’re not quite sure whether you should click on or not click on, that’s you, that’s personal and that’s now…

We all just have to get a lot smarter on cyber defense. Look there’s no perfect defense but…like the old joke, two men running away from the bear saying we’ll never out run this bear and the guy says I’m not trying to outrun the bear, I’m just trying to outrun you…

… in other words we’ve got to make ourselves tougher targets than the next guy.

Frankly, as selfish as that seems, if we’re all doing that we’re raising the water level of defense and making it more difficult for adversaries to come after us. I should add that for the most part this cyber weapon has been a sophisticated worm or bug or Trojan horse. That’s no longer the case.

The real cyber weapon now, unfortunately, against you and me…is you and me. What cyber adversaries are doing is social engineering you and me. I mean there’s so much of you and me out there in ones and zeros, they can discover fairly intimate details of who we are and then they can craft an E-mail and look, I’ve gotten this. I got an E-mail that for all intents and purposes looks like it’s come from my daughter-in-law and says, “awesome check this out” and then there’s a hyperlink. Well that hyperlink’s a weapon.

I click on it, I’m done. We all have to be very, very careful that we don’t allow these adversaries to turn ourselves into their unwitting accomplices. You do that—you really do begin to sweep away an awful lot of the dangers.