Ex-CIA Chief Tells CIOs Not to Rely on Government for Security

Gen. Michael Hayden tells CIOs: "This [cyberspace] is the largest ungoverned space in recorded human history. There is no rule of law up here."

HALF MOON BAY, Calif.—So the government wants to help enterprises achieve totally tight data security. Fine. But is that the good news or the bad news?

The Cybersecurity Information Sharing Act (CISA) is a newly enacted U.S. federal law designed, in its own words, to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes." The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies.

A little background: The bill was introduced in the U.S. Senate on July 10, 2014, and passed in the Senate on Oct. 27, 2015. The text of the bill was incorporated by amendment into a consolidated spending bill in the U.S. House on Dec. 15, 2015, which was signed into law by President Barack Obama on Dec. 18, 2015.

Proponents say sharing vital intrusion and breach information among businesses and government agencies will help immeasurably in tracking down the bad actors over time. CISA offers data sharing and liability protection for data for CIOs sharing security information at the B2B (business to business) and B2G (business to government) levels.

Value of Legislation Questioned

Opponents question CISA's value, believing it will move responsibility from private business to the government, thereby increasing vulnerability of personal private information, in addition to dispersing personal private information across seven government agencies, including the National Security Agency (NSA), FBI, state law enforcement and local police. This gives too many people access to business and personal information (such as credit card data) that could too easily be compromised, they contend.

"Basically, CISA says to keep all business and personal information in corporations and telcos, and that when the federal government needs it [for cyber-security reasons], it will ask for it," Gen. Michael Hayden (pictured) of the Chertoff Group told about 100 Silicon Valley C-level executives Feb. 1 on the opening day of The Wall Street Journal CIO Network conference here at the Ritz Carlton.

Hayden has been on the front lines of national security for more than 20 years as a former director of the CIA and the NSA.

"How to characterize CISA? No. 1, good news. A step in the right direction. But much too late, much too small a step. This says a lot about what's clouding the issues we are facing," Hayden said.

Government Shares Security Challenges With Enterprises

"It's very hard for us to make progress on this, when it comes to government," he said. "Government shares with industries the technological challenges, the problem of [finding] talented people. The government also has this challenge of awaiting political consensus."

Passing the legislation shouldn't have been hard to do, Hayden said. "It should have been self-evident. It took multiple Congresses for Congress finally to act. You may have heard Howard Schmidt, former cyber-czar of the U.S., tell us that 'the government's not coming.' That should be a pretty startling statement, coming from a guy like the cyber-czar, that you're pretty much on your own," he said.

"So, going back to the beginning [with CISA], it was too late, too small a step. So within any realistic planning you have, you are going to be largely responsible for your own defense."

Last year, in one of the highest-profile government data breaches of the year, the U.S. Office of Personnel Management's system was compromised in an action believed—although not proved—to be perpetrated by Chinese hackers. The data theft consisted of stealing addresses and health and financial details of 19.7 million people who had been subjected to government background checks, in addition to 1.8 million others.

If the government can't protect its own information, why should business hold any expectation of help and cooperation from the government?

Why Business Needs to Supply Its Own Protection

"Business should not," Hayden said. "The next sound you hear isn't going to be the digital bugle and the digital cavalry coming to the ridge line to make everything OK. Our government will be permanently late … for your cyber-security [needs]. Land, sea, air, space, cyber: It's a new domain. You and I have decided that this domain is so wonderfully empowering that we now take things that we used to keep in a drawer or wall and put it up here, where it's largely undefended.

"This is the largest ungoverned space in recorded human history. There is no rule of law up here [in cyberspace]. As taxpayers, we want the government to defend us up here the way it defends us down here. Not going to happen. Reason No. 1 is the general sclerosis of government; No. 2 is that technology is always going to move much faster than any government can move; and finally, the 320 million of us [in the U.S.] have not decided what exactly we want the government to do [in cyberspace] to keep us safe."

Part 2 of the WSJ CIO Network interview with Gen. Michael Hayden will be published soon here in eWEEK.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...