WASHINGTON – The former head of the National Security Agency painted a stark picture of government cyber-defenders unable to deal with the current wave of adversaries, not because of a lack of talent, but because legal frameworks defining their roles are not yet in place.
The attacks themselves are not new, but the type of adversaries and the motivation behind these attacks, have changed in recent years, Gen. Michael Hayden, the retired former director of the National Security Agency and of the Central Intelligence Agency, said during his keynote speech at the Kaspersky Lab Government Cybersecurity Forum on Tuesday. Attacks against key targets such as energy companies, utilities and other organizations that control physical assets have been ongoing for years, but the stakes are much higher. The techniques defenders need to detect and disrupt the attacks have also changed over the years.
"We’re now beginning to see the future, and that’s occupying space in other networks, using your presence to create effects that aren’t confined to cyber, but are felt down within physical space," Hayden said. Stuxnet is the "poster child" of such attacks.
The rise of military units and state-sponsored attackers intent on compromising critical networks to either steal sensitive information or disrupt operations did not catch the United States by surprise. However, government defenders are still unprepared to deal with the threats, Hayden said. The government has the people and skills necessary to combat cyber-threats, but is hamstrung by the lack of authority and guidance.
“General Alexander may not tell you this, but he’s got world-class athletes who not only aren’t in the game, they’re not even suited up and are still sitting in the locker room. And the reason they’re not in the game is because he lacks the legal and policy guidance to do these things,” Hayden said.
Last year, Sens. Susan Collins (R-Maine) and Joe Lieberman (I-Conn), introduced a “reasonable and moderate bill” that made it out of committee but never came up for a full vote on the Senate floor for a vote, Hayden said. Why? Because the Chamber of Commerce and the American Civil Liberties Union were both equally opposed to the bill, which is an “unnatural act” in today's political landscape, he said.
There is so much “we have not decided how we are going to do it,” which is slowing down defense, he said.
Hayden called CISPA, the Cyber Intelligence Sharing and Protection Act, which passed the House earlier this year, a “modest information sharing” program, and seemed perplexed the White House had threatened to veto the bill on privacy grounds. “We haven't thought about the basic ideas,” Hayden said.
That isn't to say nothing is being done on the defense side.
"In the American system—actually in the Western system—when government is late to need, guess who shows up? Guess who fills in? It's the private sector," Hayden said. A lot of the innovation and the information-sharing is already happening among private sector companies.
Organizations have historically invested on the vulnerability side, improving cyber-hygiene, reducing the attack surface, and patching bugs, Hayden said. Even if an organization is perfect on this score, it blocks only a portion of attacks. Other attacks and threats remain a threat. Many organizations are beginning to think about consequences, and investing in how to respond to breaches and how to handle incidents.
Organizations need to start thinking about threats, and "I don't know how we prepare for that," Hayden said.