Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Government Needs Legal Framework to Guide Cyber-Defenders: Former CIA Director

WASHINGTON – The former head of the National Security Agency painted a stark picture of government cyber-defenders unable to deal with the current wave of adversaries, not because of a lack of talent, but because legal frameworks defining their roles are not yet in place.

WASHINGTON – The former head of the National Security Agency painted a stark picture of government cyber-defenders unable to deal with the current wave of adversaries, not because of a lack of talent, but because legal frameworks defining their roles are not yet in place.

The attacks themselves are not new, but the type of adversaries and the motivation behind these attacks, have changed in recent years, Gen. Michael Hayden, the retired former director of the National Security Agency and of the Central Intelligence Agency, said during his keynote speech at the Kaspersky Lab Government Cybersecurity Forum on Tuesday. Attacks against key targets such as energy companies, utilities and other organizations that control physical assets have been ongoing for years, but the stakes are much higher. The techniques defenders need to detect and disrupt the attacks have also changed over the years.

 Kaspersky Government Cybersecurity Forum

“We’re now beginning to see the future, and that’s occupying space in other networks, using your presence to create effects that aren’t confined to cyber, but are felt down within physical space,” Hayden said. Stuxnet is the “poster child” of such attacks.

The rise of military units and state-sponsored attackers intent on compromising critical networks to either steal sensitive information or disrupt operations did not catch the United States by surprise. However, government defenders are still unprepared to deal with the threats, Hayden said. The government has the people and skills necessary to combat cyber-threats, but is hamstrung by the lack of authority and guidance. 

“General Alexander may not tell you this, but he’s got world-class athletes who not only aren’t in the game, they’re not even suited up and are still sitting in the locker room. And the reason they’re not in the game is because he lacks the legal and policy guidance to do these things,” Hayden said.

Last year, Sens. Susan Collins (R-Maine) and Joe Lieberman (I-Conn), introduced a “reasonable and moderate bill” that made it out of committee but never came up for a full vote on the Senate floor for a vote, Hayden said. Why? Because the Chamber of Commerce and the American Civil Liberties Union were both equally opposed to the bill, which is an “unnatural act” in today’s political landscape, he said.

There is so much “we have not decided how we are going to do it,” which is slowing down defense, he said.

Hayden called CISPA, the Cyber Intelligence Sharing and Protection Act, which passed the House earlier this year, a “modest information sharing” program, and seemed perplexed the White House had threatened to veto the bill on privacy grounds. “We haven’t thought about the basic ideas,” Hayden said.

Advertisement. Scroll to continue reading.

That isn’t to say nothing is being done on the defense side.

“In the American system—actually in the Western system—when government is late to need, guess who shows up? Guess who fills in? It’s the private sector,” Hayden said. A lot of the innovation and the information-sharing is already happening among private sector companies.

Organizations have historically invested on the vulnerability side, improving cyber-hygiene, reducing the attack surface, and patching bugs, Hayden said. Even if an organization is perfect on this score, it blocks only a portion of attacks. Other attacks and threats remain a threat. Many organizations are beginning to think about consequences, and investing in how to respond to breaches and how to handle incidents.

Organizations need to start thinking about threats, and “I don’t know how we prepare for that,” Hayden said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...