Former NSA Chief Hayden: Cybersecurity Policy Still 'Vacant'
Despite the creation of U.S. Cyber Command, there are still unanswered questions about who is responsible for protecting the United States from cyberattacks, said several experts who spoke at the Air Force Association’s annual conference.
“When we hit specific problems — technical or operational, offense or defense, we’re a bit adrift because we’re doing it in a policy context that right now is fairly vacant,” said retired Air Force Gen. Michael V. Hayden, who also most recently served as the director of the Central Intelligence Agency.
U.S. government officials often have been handcuffed when operating in cyberspace because it is unclear whether their actions will set a precedent and have unknown lasting consequences, Hayden said. Another obstacle is the absence of a definition of privacy for the Internet age, he added.
Cybersecurity begins with a simple question, said retired Air Force Gen. Ronald E. Keys, a senior advisor at the Bipartisan Policy Center. “What’s going on?” To find out “you have to know who or what’s on your net, are they authorized to be there and are they authorized to do what they’re doing,” Keys said. “And then the question is ‘Now what do we do?’”
An exercise earlier this year showed that the United States doesn’t know, he said.
The Bipartisan Policy Center in February arranged a simulated cyberattack on the United States. The scenario began with a malware program being delivered to cell phones through a popular “March Madness” basketball tournament application. The attack cut service to more than 20 million smart phones and left the eastern seaboard without power. The drill brought together former high-ranking White House and national security officials to determine how they would advise the president in such a situation. Most were left scratching their heads. Some began pounding the war drum. That is one of the challenges of cyberwarfare: Attacks have devastating effects but they may not be state-sponsored.
“They didn’t know what was going on, they didn’t know who was doing it, so now you don’t know who to task to stop it,” Keys said.
A variety of actors float around manipulating things in cyberspace — criminals, activists, nation states, and intelligence agents, among others. There is a fine line between good and bad, Keys said, but even the worst deeds are going unpunished.
Cybersecurity is about deterring the “almost undeterrable,” he said. The United States must establish clear penalties for cybercriminals; there currently is little risk involved in carrying out a cyberattack, Keys said.
“If you come in my house at midnight and the alarm goes off, I’m coming downstairs with a loaded shotgun,” he said. “If you come into my computer at midnight and the alarm goes off, nothing’s going to happen.”
It doesn’t help that the most fertile ground for serious hackers is in countries that don’t have the greatest relationship with the United States, said Michael T. Jones, chief technology advocate at Google.
Of the top 1,600 malware attacks, 1,400 of them were launched in China, “a great place to be a cybercriminal,” Jones said. Hackers in China last December broke into the networks of Google and 33 other companies, including defense contractors, in an effort to steal source code.
Google Earth, a collection of virtual maps and geographic information, is most widely used in places like Sudan, Algeria, Pakistan and Yemen, Jones said. “These are places your boat could get a hole in it,” he said.
Cybersecurity is made more difficult when nobody shares information about attacks, Jones said. The federal government can force organizations to share data by issuing National Security Letters through the FBI and other agencies. These subpoenas don’t require probable cause or a judge’s signature. More than 223,000 of these letters have been sent in the past seven years, according to statistics cited by Jones.
But there remains little cooperation between companies when things go badly in cyberspace, Jones said.
When Google representatives discovered the network intrusion last December, they began calling other CEOs to let them know that their companies also may have been hacked. The others already knew.
“They just didn’t tell us,” Jones said. “It’s the computer version of don’t ask-don’t tell. Everybody’s next, and nobody’s saying anything.”
They choose to keep quiet, he said, because they don’t want to appear vulnerable. Jones urged those at the AFA conference to help change that culture.
“You are guilty for being silent.”