The open, global Internet is under threat from a variety of sources, and Washington should forge alliances to build a global cybersecurity framework based on common standards and practices, says a new CFR Task Force report on U.S. digital policy. General Michael Hayden, former head of the CIA and Task Force member, says government should support the private sector in cybersecurity, providing information on threats and clarifying what businesses can and cannot do to better protect their networks. While the Pentagon has traditionally taken the lead in U.S. cybersecurity efforts, Hayden says it is time the State Department moved to the fore on this issue. "It would be both sign and substance of increased U.S. interest in the international dimensions of this whole cyber question," he notes.
A primary finding of this report is the need for the United States to build more alliances, between governments and among various other organizations. Where are we currently on this?
A really important byproduct of trying to create [cybersecurity] coalitions of the willing among like-minded nations is that it forces [the United States] to actually think this issue through and to have a much better idea of what it is we think about various tradeoffs that will have to be made.
Secondly, geography matters less in this domain than it does anywhere else. It's really kind of foolish to think about this as a national problem. The third point is that most of this isn't government stuff--it's private sector.
The question becomes, with regard to [cybersecurity]: Who's supported and supporting, between the government and the private sector? I would suggest it may be that the "supported command," for want of a better word, is the private sector, and that the government needs to marshal its resources in support of what is fundamentally a private-sector endeavor to defend.
We've seen U.S. criticism of Chinese cyber espionage getting louder in recent months. How do you see the spectrum of cyber threats?
"[W]hat you've got is almost unrestricted submarine warfare on the part of the Chinese, going after trade secrets, intellectual property, negotiating positions, and so on. And it is on an absolutely unprecedented scale."
Practically everything we're worried about right now is people stealing from us, not trying to harm us. So the first order of threat today is espionage. I used to run several espionage agencies, and everyone does it--we're really good at it, including in the cyber domain. But we only steal stuff to keep you free and safe; we don't steal stuff to make you rich. The Chinese simply don't abide by those parameters. So what you've got is almost unrestricted submarine warfare on the part of the Chinese, going after trade secrets, intellectual property, negotiating positions, and so on. And it is on an absolutely unprecedented scale.
And if that's all there were, it would be bad enough and should prompt action. But what we're also seeing is the presence of uninvited guests in [Supervisory Control and Data Acquisition] networks in industrial control systems [often found in U.S. critical infrastructure, such as power generation, chemical production, water systems, etc]. And currently, there isn't much of intelligence value on those systems. Therefore, the great fear is that this is not stealing, this is long-term reconnaissance for actions designed to be destructive to networks controlled by these systems. Unfortunately, we are seeing more and more of this.
Congress acknowledges many of these vulnerabilities in cyberspace, but there's been legislative gridlock on this issue. What does this report say to lawmakers on cybersecurity?
It says that what is holding us up is not technology or trained people, though you could use far more of those, and that it's time to make decisions--it's time to start drawing lines: What do you want government to do? What do you want this part of the government, namely, the NSA, to do? What's the private sector responsibility? Can you legislate that? Can you regulate it? I don't think so. This is a cry for the government to move out.
So we don't need government to set minimum cybersecurity standards?
Here's the problem: It's such a fast-moving domain. Speaking from experience--thirty-nine years inside the government--when government does something like this, you end up with a checklist compliance mentality rather than the agile responsive mentality that is really needed to do things well.
So you suggest that the government--the NSA, the FBI, DHS--needs to work more closely with the private sector on cybersecurity?
Our biggest problem right now is we don't have policy. We really haven't had an adult discussion because we don't have a commonly agreed upon [cyberthreat] database. Why don't we have a commonly agreed upon [cyberthreat] database? Because we don't share the information.
The government doesn't share because they pretend its secret, and frankly, they're not too anxious to make some of these vulnerabilities public because they can exploit some of them in playing offense. And, frankly, when I make this speech to industry groups, and I start getting a round of applause from the room, I say, "You guys aren't any better, for reasons of liability and so on." So I think the more cyberthreat information is shared, the more quickly we get on.
This report also noted a need to clarify the laws on "active defense" for the private sector. Can you explain this a bit?
Here's the problem: Right now, the Computer Fraud and Abuse Act treats [cyber] activity clearly in legitimate self-defense the same way it treats even the most offensive aggressive action. But there's a difference, and there are things that industries can do to protect themselves. The Computer Fraud and Abuse Act, as currently written, or at least as currently interpreted, prevents industries from taking simple and appropriate steps to provide for their own defense. Although this is not a call for making the cyber domain a digital "free-fire zone," I do think there are reasonable things the government can do to allow industry to be more active in their own defense.
Can you provide a good example of this?
Sure. So what are the legal ramifications of industry inserting destructive viruses into information that is being pilfered from its network? What if a massive distributed denial-of-service attack is being monitored from certain identifiable servers? What would be irrational about thinking industry may have a right to do something to disable those servers? By the nature of the domain, all advantage goes to the offense, and we're making it even worse by limiting ourselves in terms of response.
The United States wants to discourage other potential adversaries from developing and using cyber weapons. But how does that happen if there is an acknowledgment that we use them ourselves?
We've acknowledged, only in a very limited way, kind of self-defensive actions inside of war zones. Now, you and I can speculate that maybe we've done more things, but in terms of acknowledgment, that's what we have.
That doesn't include Stuxnet, though, right?
Of course not. We're the first country on earth to create a Cyber Command, and we're also the first country on earth talking about appropriate behavior in the cyber domain. I understand the irony.
And the Task Force report calls for, specifically, greater declassification of information related to cyber weaponry and cyber threats in general. What's the motivation for that?
In the military, it's called a COP--common operating picture. If you want people to harmonize their action, to cooperate, to have a relatively consistent view of the threat, they've all got to be looking at the same thing. And the only way you can create the "same thing" is to have this fairly common view of what's going on in reality. If everyone's hiding the ball from everybody else, it's hard to get that common view.
We spoke a little about standards related to cybersecurity and cyberwarfare. The Task Force report mentions the Tallinn Manual that addresses some of these issues. Can you speak to that, and how the report says the U.S. should build on this?
We should build on it as a first cut, but not taking everything in the Tallinn Manual, which was written by NATO's Cyber Defense Center of Excellence in Estonia. It attempts to take on some of these troubling questions: How should we think of this action? Is this action on the Web an accepted international practice we call espionage? Is it a crime? Is it an act of war?
And so the Tallinn Manual tries to begin the definitional process. In that sense, it's a great idea. It is a first cut and the right thing for us to do to begin to work through these things so that we can begin to develop norms of international behavior.
And the State Department should be leading this, according to the report?
There's a very strong element in this report that says the State Department needs to reorganize to address this issue, because the most seminal article on the U.S. view toward the cyber domain was in Foreign Affairs three years ago. And even though it was in Foreign Affairs, it was written by William Lynn III, the deputy secretary of defense.
I tell public audiences that the most important line in that article is the one under the title: "by Bill Lynn, deputy secretary of defense," not deputy secretary of state, not deputy attorney general, not deputy secretary of homeland security, not the president's science adviser. So, one could make the claim that U.S. cyber thinking has been led by the Department of Defense. I'm not saying that's bad, but it can't remain that way forever. It's got to have more balance from other parts of government. The State Department is a good axis around which to organize.
Could you elaborate a bit more on the need for the State Department to realign to deal with cybersecurity?
In other words, who's got this ball inside State? I don't have an answer. I don't think State does either. And so, number one, it would just be a good organizing effort. Number two, it would be both sign and substance of increased U.S. interest in the international dimensions of this whole cyber question.
The report advocates for a comprehensive strategy to address cyber espionage and theft. Specifically, it suggests the use of trade policy tools. Can you talk a bit about that?
When we say cyber espionage, fundamentally, the issue is China. The Chinese are doing this for commercial purposes. So why shouldn't our response be in the economic lane, not in the cyber lane? I agree strongly with this element of the report: that who gets visas to visit the United States, what products get licensed, who gets to be listed on the New York Stock Exchange, who gets student visas to come to which U.S. universities for which courses, all should be affected by Chinese cyber behavior. I'm strongly in favor of using all the tools in our quiver.
If we can briefly touch on the issue of governance: Some nations are moving to wall off parts of the Internet as an extension of their sovereignty, potentially fragmenting the global Internet. What does the United States need to be doing on this issue?
In general, the United States likes the Internet the way it is; we just want it to be a little safer, a little more secure. Our problem with the Internet is its misuse, not its use. On the other hand, the Chinese are not concerned about theft on the Internet. They're concerned about that which we think makes the Internet wonderful, which is the free flow of information. So their answer to this is to take the boundaries that everyone's accustomed to in physical space and drop them into cyberspace.
I can imagine a world, regrettably, in which we have cyber visas and cyber passports, and cyber residency requirements, and a whole bunch of things that would destroy the Internet as we know it, which is unitary, global, egalitarian, and equally accessible. We like those aspects of the Internet; that's what we want to preserve.