The United States should help create an international set of norms for cyber behaviors – to distinguish between accepted behaviors like espionage and non-accepted behaviors like cyber theft and destruction – and then craft laws and policies that allow U.S. cyber warriors to succeed in that domain, a former director of the National Security Agency and Central Intelligence Agency said today.
Michael Hayden, speaking at the Foundation for Defense of Democracies, said U.S. military and intelligence organizations haven’t even agreed on terminology to talk about offensive and defensive cyber capabilities, and that a new framework was needed to move forward in the cyber realm.
For example, the retired Air Force general said, many people have rushed to call the Russian cyber attack on the Democratic National Committee a cyber crime. Hayden, on the other hand, views the hack itself as “honorable international espionage” and similar to what the U.S. and most other countries routinely do: gain information about foreign political parties and their intentions. The crime, he said, was stealing DNC emails and distributing them through Wikileaks to break American confidence in the political system and potentially interfere with the election. Similarly, a Chinese attack of the Office of Personnel Management was typical international espionage, he said, whereas the North Korean attack on Sony Pictures Entertainment went too far and was a cyber crime.
Hayden suggested that the U.S. cyber community and government as a whole begin to address this challenge by figuring out the laws and policies that should govern how American cyber forces operate, similar to laws governing how military forces behave in the physical warfighting domains of air, land and sea.
“I would say our most powerful limiting factor on our cyber capacities – offense, defense, espionage – are questions of law and policy, not questions of capability,” he said.
“We want more technology, could always use more talented people, but fundamentally the big issues that we call ‘lim facs’, limiting factors, are law and policy. What is it we – 320 million, we – what is it we want and more importantly what is it we will allow our government to do … to provide us the same kinds of services we’ve roughly agreed on how they will provide in the physical space.”
Once the U.S. is clear on how it does and doesn’t want government organizations to behave in cyberspace, an international dialogue ought to begin. The distinction between accepted and unacceptable behavior ought to be hashed out by American cyber officials and then debated among close allies and eventually groups like the Group of 7 (G7) and then G20, Hayden said. He said he wouldn’t suggest signing formal documents, as happened with the United Nations Convention on the Law of the Sea to outline maritime norms – but he did suggest that, much like a nation that possesses biological weapons is considered “bad” on the international stage, nations that hosts botnets should also be considered bad.
“You’re establishing norms – you are a citizen in good standing in the cyber domain or you are a renegade in the cyber domain,” he said.
Hayden also addressed the future of U.S. cyber operations around the world and how the incoming Trump administration would play a role. For the first time, he said, the U.S. has acknowledged cyber operations against an enemy: the Islamic State.
“For the first time we’ve actually said we’re playing ball, for the first time we’ve actually said we’re going after them,” he said.
“I actually think as that becomes more public, we will learn more about the value of response and retaliation and reduction of capacity, because right now our deterrence theory in the cyber domain is based far more on resilience than it is on retaliation. So we actually have a little petri dish going on here as we’re actually trying to reduce the capacity of someone to operate in the cyber domain.”
He said ISIS is “very cyber smart,” as “they recruit, they train, they direct, the proselytize, and they fundraise in the cyber domain,” but he said the cyber warfare between the U.S. and ISIS could provide many lessons learned for the future.
As for the administration that will take over these operations, Hayden – who during the election cycle had stated concerns about President-elect Donald Trump’s views on intelligence and cyber issues – said it can be hard to take fact-based analysis from the intelligence community and mesh it with how a politician wants to see the world, but he said he hopes the intelligence community will work with Trump and his future Cabinet to understand the issues fo the day.
“In my judgment, American interests and Russian interests are not convergent, and therefore I hope the fact-based world-as-it-is inductive guys lay out their case as clearly as possible to the incoming administration,” he said.
“What troubles me, the push for ‘wouldn’t it be great if we could get along with Russia’ seems to be without conditions,” he said later in the event.
“I’ve just not seen anything in the rhetoric, any ‘to make that happen these are the things we’re going to have to see.’ I just don’t see that. I’m not enthusiastic so far about what I see as an agreed policy objective – yes it would be better if we had better relationships with the Russian Federation – but to get there by suppressing legitimate American interests I think is very off-putting.”