Privatizing Cybersecurity

Fmr. CIA head suggests private sector could fill breach left by government

June 4, 2013

Former CIA and NSA director Michael Hayden suggested Tuesday that the private sector could fill a security void left by a government slow to respond to emerging cyberwarfare threats.

Hayden spoke at a cybersecurity forum about the U.S. government response to increased numbers of cyberattacks by governments and hackers. He highlighted the cyberattacks earlier this year aimed at disrupting and crashing websites for U.S. banks, which government officials say were committed by Iran.

Servers for banks such as Wells Fargo that typically receive 15,000 hits a minute from customers experienced 3 million, he said, though no money was taken.

"These [attacks], absent really dramatic action on our part, promise to get worse before they get better," Hayden said.

Those attacks were likely in retaliation for Stuxnet, a computer virus used against the Iranian nuclear program in the last few years and developed by the United States and Israel, according to reports. Hayden described employing Stuxnet as an act that "crossed the Rubicon" and legitimated cyberattacks for other nations.

However, the U.S. government has since failed to develop a cybersecurity strategy that quickly responds to multiplying threats, Hayden said. He contrasted government inaction with private companies that are "holding a shield and using [their] free hand to pick up a sword" by using cyberintelligence to identify and prevent threats.

"We have not yet decided what it is we want our government to do [in the Internet domain] or what we will let our government do to protect us," he said.

Part of the reason is stalled legislation, he said. President Barack Obama has vowed to veto the Cyber Intelligence Sharing and Protection Act (CISPA), which passed the House in April. CISPA would permit the sharing of cyberintelligence between the government and companies, but critics such as Obama say the bill raises too many privacy concerns.

Obama’s talks with Chinese President Xi Jinping on Friday and Saturday will be hampered by the lack of a comprehensive U.S. cybersecurity strategy, Hayden said. Recent reports that Chinese hackers accessed more than two dozen major U.S. weapons systems have provided an impetus for Obama to apply pressure to Jinping, but the conversation will not amount to much, he said.

"I steal stuff. You steal stuff. But you’re stealing the wrong stuff," Hayden said, offering his preview of the talks. "There’s a lack of big ideas."

Hayden served for 39 years in the Air Force in addition to numerous intelligence positions. While his instincts tell him that government is ultimately responsible for security, the cyberwar is different, he said.

"This challenge may require the government to conform its movements to the main body," he said. "The main body may well be the private sector."