Though the U.S. government can still claim to be the top physical security player in the world, it can no longer claim leadership as the top cybersecurity player, according to retired Gen. Michael Hayden, who has served as the director of both the National Security Agency (NSA) and the CIA.

“I no longer believe that to be the case,” Hayden said at the ICIT Winter Summit on Monday. “I am now convinced that, except in a very thin veneer in very, very extreme cases, the main body [in cyber] is the private sector.”

Gen. Michael Hayden. (Photo: Twitter)

According to Hayden, many of the security, deterrence, and privacy strategies that have worked for government in the physical space don’t translate well into digital strategies, making cyberspace a Wild West for security.

“We are going to have to rely on ourselves and on the private sector for security up here in a way that we have not relied on ourselves for security [in the physical space] since the closing of the American frontier in the 1880s,” said Hayden, adding that the government will likely have to learn to support the private sector in security initiatives.

Hayden explained that military operations often have designated “supported commands,” which lead and form the core of an operation, and “supporting commands,” which act to assist the supported command. According to Hayden, government will now have to learn how to be the supporting command for the private sector.

Part of that support includes prioritizing the digital security provided by the private sector to consumers over some of the wants of intelligence and law enforcement. For example, Hayden explained, though the FBI wanted Apple to provide access to the San Bernardino shooter’s iPhone in February 2016, the damage that would have been done to other customers’ encryption outweighed the forensic benefit to law enforcement.

According to Hayden, this situation showed how the cybersecurity needs of the American people can outweigh the needs of a law enforcement agency. He added that even in situations where the government may really need to find a way into an encrypted device, agencies should think twice before damaging the ability of the private sector to protect American privacy in a way that the government cannot.

Hayden also said that the government and private sector need to come to a consensus on the classifications of cyberattacks and appropriate responses.

“We have not yet arrived at mutually agreed categories of activity,” Hayden said. “That lack of precision confuses our thinking because our categorization is really, really fuzzy.”

Hayden recalled a speech that former President Obama gave after the Sony Pictures hack, in which the president referred to the act as “cyber vandalism” and Hayden realized that there was no good classification for the hack.

“ ‘Come on, Mr. President, just say what this is: This was a horrible act of cyber….’ That was two years ago, and I have yet to finish my own sentence,” Hayden said. “If we’re still scratching our heads as to what government’s doing up here, we Americans don’t hang around. If the government is not showing up, we’ll start to self organize.”

Read More About
More Topics
Jessie Bur
Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.