NEW YORK—Retired Gen. Michael Hayden, a former National Security Agency director, had a gloomy message for corporate IT security managers: You are on your own in the cyber-security war.
That was one conclusion from a provocative talk by Hayden at a customer event held by security vendor Centrify here May 11.
"Your government is and will remain late to need in providing security in the cyber domain," he said. "You are going to be more responsible for your security [there] than you have been responsible for your security [in the physical realm] since the closing of the American frontier in 1880 or 1890."
Hayden said cyber-security is not just a U.S. government problem: "Government is too slow to operate up here—all governments, and now we Americans have this additional built-in caution to protect our privacy against government intrusion."
Government should be able to handle certain types of cyber-threats, he said, attacks that threaten loss of life, destruction of property or lasting economic damage. But that's a very small percentage of actual attacks. For the rest, we are on our own. "Even the Secretary of Defense is telling you the next sound you hear is not the digital bugle of the digital cavalry coming over the ridge to save the day."
Some of Hayden's most interesting comments were about the U.S. government's role in ongoing cyber-espionage. "What nation-states conduct cyber espionage? All of them. What state is the very best at conducting cyber-espionage? We're number one. We really are. We're really good. That doesn't mean we are like the others ... because your espionage services steal other things in this [cyber] domain to keep you free and keep you safe. Your espionage services don't steal to make you rich."
Hayden, a former four-star general in the U.S. Air Force, is the only person ever to hold the position of NSA director under Presidents Clinton and Bush from 1999 to 2005 and the Central Intelligence Agency under Bush from 2006 to 2009. He was on duty as NSA director on Sept. 11, 2001, and has had a front-row seat to all of the major cyber-security incidents of the past 15 years.
Now serving as a consultant, Hayden said we are in a new "domain," the cyber domain, of national defense postures, and it has flipped the government's usual national security role on its head.
He discussed the power of Stuxnet as a cyber-attack tool, but didn't point any fingers at the perpetrators, slyly saying: "I don't know nothing about no Stuxnet." He was less circumspect about the attack on the U.S. Office of Personnel Management last year. "My and 21.5 million other portfolios were stolen by—I'm here to tell you it was the Chinese—even though our government won't say it was the Chinese."
But, he said, this is not shame on China. It's shame on us for not being prepared—or for not doing the same thing.