Cyber-Security Is Business’ Business

There’s been a “tectonic shift” in the world’s security environment, declared General Michael Hayden, a retired four-star general and former director of the CIA and NSA. “What used to seem permanent is proving not to be,” he warned the audience at Centrify Connect 2016, an identity and security conference held in New York on May 11-12.  

Backing up his statement, Hayden said that nation states have begun playing lesser roles in today’s cyber-world, which he called “the largest non-governed space in human history.” Moving in to take over that role are sub-state actors, criminal gangs and individuals such as hactivists, who have become empowered to engage in terrorism, cyber-attacks and transnational crimes, including acts of war.

The ever-growing number of cyber-crimes and cyber-criminals has made it impossible for governments to respond effectively to all these events. “All governments—including ours—are too slow to provide security,” he stated, adding that there are structural, cultural and privacy issues that are complicating the ability of governments to take action against these criminals.

Hayden stressed that the “main body for American cyber-defense has to be the private sector,” with the government acting in a supporting role. One problem, he said, is that businesses are now too restricted to protect themselves.

“We need to give the private sector more power to defend themselves,” he said, adding, “No one has been prosecuted for being too aggressive in defending themselves.”

The general pointed to cyber-privacy as one example of the role the private sector could play.  “Facebook’s Mark Zuckerberg will have more impact than the government on privacy,” he asserted.

The Three Aspects of Risk

When it comes to managing security risks, Hayden advised the audience to consider three aspects: threats, vulnerability reduction and consequence management.

“Most of the history of cyber-security has been in vulnerability reduction—reducing the attack surface,” he said. “But attackers are going to get in, so you have to deal with it. Consequence management is key.”

Hayden added that many attacks are the result of compromised identities, whereby outsiders become insiders and steal data. He said that the NSA had been in the process of installing a network monitoring system, but it hadn’t finished the work when former contractor Edward Snowden copied an estimated 1.5 million government documents and leaked thousands of them.

The antidote to these types of cyber-crimes, according to the general, includes multifactor authentication, network monitoring, behavioral analytics and reduced empowerment of individuals. Regarding empowerment, he pointed out that Snowden and former U.S. Army Private Bradley Manning, who passed classified material to Wikileaks, should never have been empowered to access so much confidential government information.

On the other hand, Hayden believes that there should be more sharing of information. “We haven’t had a national conversation about sharing,” he said. “The government won’t tell you what’s going on, and private industry won’t share either. We need to give people more information in order to build trust.”