In a recent interview, The Cipher Brief sat down with former NSA and CIA director Michael Hayden to talk about global threats, and in particular, cyber threats and efforts to address them, specifically within the private sector. Hayden has famously said before that when it comes to cyber, ‘the cavalry ain’t coming,’ so what does that mean for companies trying to compete against cyber bandits that operate outside anyone’s rule of law?
Hayden expressed some hope after recent statements by National Security Advisor John Bolton, indicating that the U.S. would be taking a more offensive approach to cyber threats, saying that the current Administration is more comfortable working with the private sector than the Obama Administration was, and that there have been indicators that the current administration might be more open to a ‘mutually reinforcing role between government and the private sector’.
Hayden’s comments from that interview, below, have been edited for clarity and flow, but you can listen to the entire interview on the State Secrets podcast.
Hayden: You know, I'm still of the belief that government, all governments, but particularly ours, are going to find it very, very hard to provide adequate cyber security just because of the nature of the domain, because of the political sensitivity, and of privacy. So, one of my constant themes in my homilies around the country is that you're on your own up here more than you think you are, so you're just going to have to take more responsibility for your own well being than you have had to do in the physical space, for a long time.
The Cipher Brief: Some people would think that maybe you're advocating hack back.
Hayden: Number one, no. But, I'm willing to talk about that. We don't want to turn this into a free fire zone or vigilantism. But what is the meaning of defense? Is it a law in physics that cyber security has to end at your firewall? I'm an advisor for the Commonwealth Bank in Australia. It used to be the Federal Reserve, now it's part of a bank. It might be one thing for the Australian government to let the Commonwealth Bank do some things for their own defense because they're so big.
The Cipher Brief: With the government's knowledge and oversight?
Hayden: Knowledge and approval and authority, deputization. And it’s because the bank is so big, so important, and so responsible, that you might let it do what you wouldn't let Fred and Ethel's bank in Alice Springs do, okay? I do not want to reflexively reject more active defense than we think is appropriate now.
The Cipher Brief: So does that mean that the active defense, under certain conditions, would really only be able to be carried out by the larger corporations?
Hayden: I'm looking for ways to make this more responsible and more digestible. So look, we don't want to push this to an extreme. Article 1 of the Constitution allows the Congress to issue letters of market reprisal, which was what we did when we couldn't control the maritime domain. We took some certain designated private sector actors and gave them the authority to act, with the authority of government, to make the sea lanes safer. So, the historical record is, you don't do this willy-nilly. You don't deputize everybody. You make sure you're doing it with responsible actors.
The Cipher Brief: Whose authority would that fall under, given our current division of duties when it comes to cyber, on the government side?
Hayden: Well, number one, the government hasn't embraced the concept yet. I think Rob Joyce and Tom Bossert, who were the two folks most responsible for cyber in the early Trump Administration, were very uncomfortable with it. They've been moved on by the new National Security Advisor, who’s at least talking a more aggressive game in the cyber domain than anyone has, so we'll see where this might lead. Right now, it seems as if Ambassador Bolton's talking about a more offensive posture from government actors. But, we'll see how it evolves.
The Cipher Brief: So you think there might be room for interpretation for a more aggressive posture in the private sector?
Hayden: There might be room for conversation there about a more aggressive posture by cyber actors. I'll just throw a couple of things out. If you and I are working for a company, and we're on the network, we're bound by certain rules. By their allowing us access to the network, they are demanding certain things. They can check our emails or our attachments.
The Cipher Brief: Giving up your privacy.
Hayden: Yeah. We've given something up to be on the network. Somebody who forcibly breaks and enters into that network, why shouldn't they be subject to the same rules that you and I, who are actually employees of the company, be held to? In other words, have they, in their own way, voluntarily made themselves subject to the rules of anyone on the network by breaking into the network?
The Cipher Brief: For purposes of reprisal?
Hayden: I mean for the things that could be done to you and me, like checking out our files. I'm not quite willing to accept this kind of binary distinction that ‘oh, you can do anything you want, but nothing beyond the firewall’. By the way, I'm convinced that there are things that can be done and that people are doing them.
The Cipher Brief: What do you mean?
Hayden: People are conducting active defense. They're just not doing it from United States territory. We're talking about international corporations.
The Cipher Brief: So it's under-the-radar, this is how we're going to rally our own troops?
Hayden: We gotta go do what we gotta go do. And at some time, that becomes so prominent, so prolific, that at some point ,the government's going to want to control it. And the only way you can control it, is to organize it, and grant some authorities.
Read General Hayden's thoughts on Threats Foreign and Domestic here...
