In early December, three major banks reported cyber incidents, including the Royal Bank of Scotland and JP Morgan Chase, a reminder of the vulnerability of critical financial infrastructure. That same week, Iran accused Israel and Saudi Arabia of plotting a Stuxnet-like attack on Iran’s nuclear program. With the fallout of revelations by former National Security Agency contractor, Edward Snowden, still reverberating in western capitals, questions continue to arise about the capacity of governments in critical infrastructure protection, digital surveillance and ensuring personal privacy. General Michael Hayden, former director of the NSA and the Central Intelligence Agency, spoke with editor Chris Thatcher about the cyber domain and the balance between privacy and security.
You have argued that we are trying to put new ideas into old forms. Are the rules of engagement different in cyber space than they are in other domains?
I firmly believe that the laws of armed conflict apply in the cyber domain as much as they do in physical space. The principles of proportionality, distinction, necessity – those are all the laws of war and they apply in the cyber domain, too. But cyber is still so new… In the other domains – land, sea, air, space – the government has a role and, more or less, a generally agreed role like police forces and fire departments and armies and the centres for disease control. We have worked out what it is we want the government to do and what it is we will allow the government to do in physical space. We have not done that in the cyber domain yet. We are still debating what it is we want the government to do for us there and what it is we will let the government do for us there. That’s what I mean by old patterns and which of these apply or don’t apply to this new cyber space.
How clearly do we understand doctrine in the cyber domain?
We are still working that issue. For example, what constitutes an attack in the cyber domain? We are very sloppy with our language. We throw the term “cyber attack” anytime anything unpleasant happens to us in the domain. Well, we shouldn’t. The Chinese stealing intellectual property? That’s cyber espionage. It’s bad, but it is not quite an attack. If the Iranians attack American banks with distributed denial of service attacks and make it impossible for you or I to check our bank account, something that does more than just steal data, something that affects a network, that’s more moving in the range of an attack. Finally, if someone used a weapon comprised of ones and zeros to create physical destruction to a supply system or a grid, that definitely is an attack. We are still working our way through, first, what is an attack in the cyber domain, and second, what is an act of war in the domain.
Does the response need to be proportional to the attack in this domain?
The American government has issued a declaratory policy which states we will calibrate our response based upon the effects of an act, not upon its means. I think that is actually pretty good.
What of second and third order effects in the cyber domain: How well do we understand the ripple effects?
That comes back to the principles of armed conflict and the principle of distinction, which means that, if you think you have a military necessity and you can distinguish between combatant and non combatant, can you be sure a) that you can make that distinction and b) when you commit whatever act you are planning, that the results are proportional to the military need. You are relying on your ability to precisely predict the outcome of your attack. We have mastered that pretty well in physical space, though bad things sometimes happen, but perhaps we haven’t nearly mastered it quite as well in cyber space that we can absolutely predict with confidence that this will happen and nothing more.
Given the integration of critical infrastructure across our borders, do we need to consider something like cyber NORAD to better defend that space?
I really do. Our cyber space is more integrated than our air space. Therefore, it is absolutely clear to me that this requires close coordination between our two countries. That also means broad agreement on what constitutes a threat, what constitutes an appropriate response, what constitutes suitable privacy, and so on. We have two democracies that have figured out how to do that when you are controlling air space; now we are challenged with how do we do that in this entirely new domain.
Do you know if that discussion is taking place?
I truly don’t know. We have historical cooperation between our two countries’ militaries and intelligence services, so I am sure there is work being done here, but I just don’t know the details.
The Snowden revelations of recent months have probably left many of us pondering the scope of national surveillance of electronic data, without really understanding the roles of certain government agencies: What are intelligence agencies actually doing?
When you are doing espionage, you divide the work up largely by method of collection: You have an imagery agency, a human intelligence agency, and a technical or signals intelligence agency. The collection for each of those is quite different and requires different technology, different skills and even a bit of a different culture. Most intelligence organizations around the world are organized along those lines. With regard to signals intelligence, your effort is to go after communications in a lawful way – communications that your law does not protect – that allow you to provide meaningful intelligence to your nation’s policymakers.
Privacy commissioners in Canada have begun to talk of a new paradigm in which we need to re-think the concepts of privacy and security, particularly in light of new technology, big data, analytics and so forth. Do you see that?
I do. The traditional approach – and I recognize that technology has really changed this ¬– is that each nation had its own laws as to what constituted privacy. Ours is anchored in our Fourth Amendment, which protects Americans against unreasonable search and seizure. The Fourth Amendment is not an international treaty – it applies to Americans, those in the United States and permanent legal residents of the United States. That seemed to be just fine through the first 55 or 60 years of the National Security Agency, which was founded in 1952. Now there are shifting standards globally as to what constitutes a legitimate expectation of privacy. And we are now involved in a global debate as to what those standards should or should not be. Happy for the debate, but I’m not prejudging outcome here. It remains a world of sovereign states and a world of enduring dangers, and signals intelligence is an incredibly valuable way for a state like mine to learn the plans and intentions of those who might mean harm.
What should be the role of oversight? Certainly in this country there is a strong sense that it has been insufficient.
You have got to define the terms of reference. In most countries, to the degree they debate this, the debate is about what security services do domestically, not what they do abroad. And the really interesting thing about what is happening now – interesting and somewhat frightening for an American – is that this debate which began about what our security services are doing “domestically” – the metadata program, the Prism program and so on – this is now a debate about what our foreign intelligence services do against foreign targets. That’s really uncharted territory.
Is part of the problem that we have an all hazards approach versus a risk-based one, that with each incident – reported or otherwise – we feel the need to expand the security requirements to protect ourselves?
I had 39 years in the air force and in the first half of my career we were worried about the Soviet Union. I can’t find a civil libertarian who would raise a finger about the NSA trying to intercept Soviet high command communications emanating out of Moscow trying to go to an ICBM unit out beyond the Urals. That was a dedicated network, a known enemy. The 2013 version of that is al-Qaeda emails co-existing on a world wide web with your communications and mine. And free people have to decide: do you want these security services to provide you what they were providing when the threat was that one, but in today’s world? If the answer is, yes, then you are going to have to admit the reality that they are not going to be going after isolated communications on dedicated networks, they are going to be bumping into your stuff. The real question becomes: Can I trust them to go after the other stuff and even though they may bump my stuff, they won’t do anything that makes me uncomfortable?
Does the nature of the technology and the fact that so much “intelligence” is open source change how we need to think about the problem?
Let me answer that question by making the problem bigger. I was head of CIA after I was head of NSA. I had an advisory board and I gave them hard questions. One of the hard questions was: Will the United States be able to conduct espionage in the future, inside a broader political culture that every day demands more transparency and more public accountability from every aspect of national life? They went away and studied that problem and came back after six months and answered: We are not sure.
We are at a fundamental moment here in terms of the traditional ways that sovereign states have defended themselves in the past with their intelligence services. Look, and I really mean it, just tell us what the rules are. You have to understand that if you draw the box real small you are probably going to be a little more in danger than you would otherwise. But just tell us where the box is.
Do intelligence agencies then need to become better at telling their stories, despite that need for secrecy? How does an agency tell its success stories in that context?
That’s a real problem. If I just look at this through the narrow lens of intelligence effectiveness, I wouldn’t tell anything to anybody. But that was never possible. The citizens of a democracy have to have at least a reasonable idea of what you are doing on their behalf. And I think quite clearly what has happened in the last number of years is, if intelligence services expect public support, they are just going to have to tell more of their story to their own citizens. That will shave some points off operational effectiveness, but the trade off there is that if you don’t do that, you won’t get to do anything because your citizens won’t have a sufficiently high level of confidence in what you are doing. So we are going to have to be more forthcoming. That is ahistorical for us.
General Hayden was a keynote speaker at the 1st Digital Economy Congress, “The Challenges and Opportunities for Cross Border Data Flow,” hosted by Reboot Communications in San Diego in November. Reboot will hold its 15th Annual Privacy and Security Conference February 5-7 in Victoria: www.rebootcommunications.com