Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Government Needs Legal Framework to Guide Cyber-Defenders: Former CIA Director

WASHINGTON – The former head of the National Security Agency painted a stark picture of government cyber-defenders unable to deal with the current wave of adversaries, not because of a lack of talent, but because legal frameworks defining their roles are not yet in place.

WASHINGTON – The former head of the National Security Agency painted a stark picture of government cyber-defenders unable to deal with the current wave of adversaries, not because of a lack of talent, but because legal frameworks defining their roles are not yet in place.

The attacks themselves are not new, but the type of adversaries and the motivation behind these attacks, have changed in recent years, Gen. Michael Hayden, the retired former director of the National Security Agency and of the Central Intelligence Agency, said during his keynote speech at the Kaspersky Lab Government Cybersecurity Forum on Tuesday. Attacks against key targets such as energy companies, utilities and other organizations that control physical assets have been ongoing for years, but the stakes are much higher. The techniques defenders need to detect and disrupt the attacks have also changed over the years.

 Kaspersky Government Cybersecurity Forum

“We’re now beginning to see the future, and that’s occupying space in other networks, using your presence to create effects that aren’t confined to cyber, but are felt down within physical space,” Hayden said. Stuxnet is the “poster child” of such attacks.

The rise of military units and state-sponsored attackers intent on compromising critical networks to either steal sensitive information or disrupt operations did not catch the United States by surprise. However, government defenders are still unprepared to deal with the threats, Hayden said. The government has the people and skills necessary to combat cyber-threats, but is hamstrung by the lack of authority and guidance. 

“General Alexander may not tell you this, but he’s got world-class athletes who not only aren’t in the game, they’re not even suited up and are still sitting in the locker room. And the reason they’re not in the game is because he lacks the legal and policy guidance to do these things,” Hayden said.

Last year, Sens. Susan Collins (R-Maine) and Joe Lieberman (I-Conn), introduced a “reasonable and moderate bill” that made it out of committee but never came up for a full vote on the Senate floor for a vote, Hayden said. Why? Because the Chamber of Commerce and the American Civil Liberties Union were both equally opposed to the bill, which is an “unnatural act” in today’s political landscape, he said.

There is so much “we have not decided how we are going to do it,” which is slowing down defense, he said.

Hayden called CISPA, the Cyber Intelligence Sharing and Protection Act, which passed the House earlier this year, a “modest information sharing” program, and seemed perplexed the White House had threatened to veto the bill on privacy grounds. “We haven’t thought about the basic ideas,” Hayden said.

Advertisement. Scroll to continue reading.

That isn’t to say nothing is being done on the defense side.

“In the American system—actually in the Western system—when government is late to need, guess who shows up? Guess who fills in? It’s the private sector,” Hayden said. A lot of the innovation and the information-sharing is already happening among private sector companies.

Organizations have historically invested on the vulnerability side, improving cyber-hygiene, reducing the attack surface, and patching bugs, Hayden said. Even if an organization is perfect on this score, it blocks only a portion of attacks. Other attacks and threats remain a threat. Many organizations are beginning to think about consequences, and investing in how to respond to breaches and how to handle incidents.

Organizations need to start thinking about threats, and “I don’t know how we prepare for that,” Hayden said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jill Popelka has been appointed CEO at Darktrace, after serving as COO for three months.

GitHub has appointed Alexis Wales as its new Chief Information Security Officer.

Cybersecurity and intelligence solutions provider Nightwing has appointed Christopher Jones as CTO and CDO.

More People On The Move

Expert Insights