General Michael Hayden, a retired U.S. Air Force four-star general and the former Director of the National Security Agency (NSA) and Central Intelligence Agency (CIA), has extensive knowledge and understanding of how to handle conflict and combat. During his time serving in a variety of senior positions, including responsibility for a combat support agency of the Department of Defense, as the Commander of the Air Intelligence Agency and Director of the Joint Command and Control Warfare Center, he became well-acquainted with the military doctrine of “land, sea, air, space and cyber.”
Yes, cyber, just like the earthly realms, is a domain. A place. But not like any place we’ve experienced fully, which makes it very difficult to deal with.
“Security in a digital world is still so hard,” said General Hayden during his keynote presentation at the 2018 PAS OptICS conference earlier this week in Houston, explaining that it represents a much broader threat environment that requires constant adjustment. “We have a lot of bright people working on this problem, but the faster we go, the more behind we get. We don’t seem to be getting ahead of it.”
As a result, this new threat landscape, in which we’ve seen nation states navigating cyber channels to manipulate critical infrastructure and industrial control environments, must be dealt with in a different way. It requires a move beyond perimeter-based security toward situational awareness and consequence management that assumes a breached perimeter.
“They are getting in” said General Hayden. But we must continue to work. “Get over it and operate while penetrated.”
That was the message to the attendees at OptICS, many of whom are engineers in the energy, infrastructure and oil and gas industries, who are wrestling with how to operate while potentially being under attack. To do so, they must find a balance between digitalization and cybersecurity, two business tactics that seem to be in constant conflict. Digitalization requires connecting and sharing information between enterprise, manufacturing and supply chain infrastructure. That process, however, inherently introduces new risks, as it creates more ways that a bad actor can get into a network and wreak havoc in the form of data theft or physical destruction.
“That which is good for business, is bad for business. The thing that empowers, simultaneously threatens,” said Hayden, who is now a principal at security consulting firm, the Chertoff Group. “Security is an afterthought of the Internet,” he said, explaining the original plan of the Advanced Research Projects Agency Network (ARPANET)—from which the Internet originated—was a packet switching network designed as a limited transfer of information between restricted nodes. The Internet was not designed with cyberwarfare in mind nor with an understanding of the potential adversaries, which are expanding from nation states to criminal gangs to “hactivists,” all of whom are becoming more capable behind their computer screens.
“The hactivist group is the one that should really concern you,” General Hayden said. “The actions of nation states have consequences. Criminal gangs have a business model that you can predict. But the hactivists will come after you simply because you are, with no further explanation. And they are self-organizing,” he said, citing the example of "Operation Payback," a united effort around the distributed denial of service (DDOS) attacks against PayPal and Mastercard to take revenge on companies that suspended WikiLeaks accounts.
Aside from corporate espionage, data theft, network disruption or physical destruction, the threat is now morphing once again from cyber dominance to information manipulation.
“The Russians went to information dominance,” General Hayden said. “A permanent state of conflict to use informational weapons as a way to play upon the local population and affect our thinking.” To that end, the Russians pretend to be us, using botnets and hashtags to manipulate the news, he said. “Social media manipulation is something that could introduce problems for you with regard to unintended insider threats motivated by fake news or overexcited language.”
But how do we fight back? Isn’t government supposed to keep us safe? Yes, General Hayden said, but in this circumstance, government and the private sector will play supporting roles. “You will be more responsible for your personal safety and your business safety in cybersecurity. It doesn’t mean government can’t help, but it won’t solve it.”
That means, businesses will need to adopt a classic risk equation used in combat: Risk = threat x vulnerability x consequence.
First, you identify the most likely threats to the organization. Then it is about assessing vulnerability and defending the perimeter—don’t let the bad guys in. But they are getting in, so now you have to manage the consequences. “Now it is about the time between penetration and discovery,” he said. “Continuous combat in consequence management and threat identification.”
While the threats are real, it is an opportunity for American business to get stronger, General Hayden said, noting we should not destroy the reason we went to cyber and the Internet in the first place: “Empowerment.”