In the final video installment, the intelligence expert touches on private entitiesâ€™ steps to limit harm, and cyber deterrence approaches government can employ against bad actors.
Watch the full interview.
More information on our Cybersecurity: The Next Great Battlefield series
WALWORTH: Let me just ask you about cybersecurity generally because you've talked about this, this is outside of the context of your book but think of cybersecurity generally as sort of building a defensive perimeter, keeping the bad guys out. You recently were talking about this and it seems like that it's changed a bit and that you can't keep the bad guys out. You're under attack constantly. There already inside the Alamo or whatever. How does that change the way companies should deal with cybersecurity?
HAYDEN: Sure. So the history of cybersecurity, if you could go back far enough, it's what you described. It's the firewall. Keep them out. Cyber hygiene, good passwords, turns the machine off over the weekend, all those sorts of things. Put the patches in, talk to your sys ad, get the work done. That's good and keep doing it but it's not nearly sufficient. The persistent talented threat is getting in. So if you really wanna defend now you have to defend on presumption of breech. They're getting inside the wire, get over it. Operate while under attack. Survive while still penetrated. So now the passing grade is not whether or not they get in, the very best will get in. The passing grade is how long are they in before you know it. So now rather than defense, you gotta do it, but the secret sauce now is response, resiliency, recovery, reconstitution, the detection of attack. It is almost as if rather than the moat, the castle wall, or the Maginot line it's a constant meeting engagement in which you are constantly fighting within your own network to keep your own network secure against intruders which are inevitable.
CANNON: So companies can do that themselves, what you described. In terms of cybersecurity, should the United States Government be using offensive measures also against bad actors?
HAYDEN: That's a great question. So a couple factors bearing on the problem. Number one, this is a domain in which offense doesn't translate to defense. The offensive capacity doesn't automatically make you more secure. Whereas in the maritime domain, you got a big navy, hey, play it both ways. I can go there. I can stop them from coming here. Cyber domain, not that way. So I agree with you, we've got, I'm fond of saying, the greatest concentration of cyber power on the planet is about 30 miles over my left should up there at Fort Mead. But it doesn't, it's hard for us to apply that to defense, largely because of civil liberties questions, political cultural questions. We don't want the government kind of walking the beat inside of our network and so we have those issues.
HAYDEN: The outgoing Commander of Cyber Com just left, Mike Rogers. And the incoming Commander, Paul Nakasone, Admiral, General. In recent testimony, I mean really recent. Six weeks ago maybe, four. Both talked about imposing consequences on cyber aggressors which is not the same thing as defense. It's simply convince people, "You don't wanna do this. Trust me, you don't wanna do this."
CANNON: The Stuxnet theory. Kind of.
HAYDEN: Well it's that, "I can hold things you hold dear at risk. I don't think you should be throwing rocks at me." Now that is actually a bold theory. It is not government policy. Even this government which is more aggressive than some other ones. It is not. So it's out there as an idea that we might be able to conduct what they label as cyber deterrence, not defense. That we can either disable machines that are coming at us or we can hold at risk things they hold to be dear. In other words, what they're arguing for is a new legal and policy space above the normal, "I'm spying on you and stealing your stuff" line but below the, "And now I'm at war with you" line.
CANNON: Is it the same logic of mutually assured destruction?
HAYDEN: Well actually you can reason by analogy with the nuclear world with the disabling attack being the counter force approach and the counter value approach being hold dear that which they value. There is a logic there but mutually assured destruction was always a theory. These guys are asking for something that would actually be taking place.
WALWORTH: Do you think that would be a good idea to do it?
HAYDEN: I've not yet resolved that one in my mind. There's a lot of thinking that needs to be done about that.
WALWORTH: In the private sphere you've talked about this being now a board level responsibility. You've even talked about repopulating board with people who understand-
HAYDEN: Just relive the Sarbanesâ€“Oxley drama.
WALWORTH: Right. So tell me a little bit about that.
HAYDEN: So most boards being of my age don't have an awful lot of inherent cybersecurity capacity on them. So boards are now gonna have to go out and hunt for that talent to be on the boards. I mean the same way that they had to respond to other regulatory requirements they now have to have some technological expertise on the board in order to be able to do what a board ought to do with regard to the company, yeah.
WALWORTH: And in your conversations you're having success with that?
HAYDEN: Yeah. Actually you know, American's industry's got this. Yeah. So shortly after I left government, so this is 2009 maybe, late in '09. I'm up in New York with George Tenet and Mike McConnell, former DCI, former DNI. We're having dinner with 20 folks that I would just call Wall Street types. We're waving our arms about the cyber threat. By the time we kind of got around to the dessert one of the participants finally asked the question I knew was on everyone's mind. "How much is this gonna cost me?" We have moved from that position, from a time when American business saw cybersecurity as subtraction from the bottom line, to an appreciation that cybersecurity is integral to the top line. I think we really have made that turn.
CANNON: What's that old ad? Pay me now or pay me later?
HAYDEN: Yeah, and pay me more later.
CANNON: General Hayden, I want to thank you on behalf of Real Clear Politics and Andy Walworth for your time.
HAYDEN: Thank you.
CANNON: It's been a great discussion.
HAYDEN: I've really enjoyed your questions.
CANNON: There's more information about cybersecurity, including information on General Hayden's new book, on our website. Just go to ReadClearDefense.com and you'll get a prompt to go to our cybersecurity page. We hope you'll join us again next time. On behalf of all of us here at Real Clear Politics, I'm Carl Cannon. Thanks for watching.