Addressing Global Cyberthreats: Insights on the cyberspace from General Michael Hayden |

Addressing Global Cyberthreats: Insights on the cyberspace from General Michael Hayden

Addressing Global Cyberthreats: Insights on the cyberspace from General Michael Hayden

By Bill Lydon, Editor,

If businesses were in the dark about the need for cybersecurity before, the 2018 PAS OptICS conference laid it out quite plainly. The organizers turned to retired Air Force General Michael Hayden to share his insights on the cyberspace from both a global defense and business-related perspective. As Principal of The Chertoff Group has experience in the cyber arena.  Acknowledging that his background is not industrial engineering, Hayden offered this as the focus of his talk, “My task today is not to replicate what you have seen but maybe put it into a broader context, broader political and policy context, and a broader threat environment.” 

As a retired United States Air Force four-star general with over 41 years of service, Hayden also served as former Director of the National Security Agency, Principal Deputy Director of National Intelligence, and Director of the Central Intelligence Agency. In 2005, the then Lt. Gen Hayden was confirmed by the United States Senate as the first Principal Deputy Director of National Intelligence and awarded his fourth star - making him "the highest-ranking military intelligence officer in the armed forces".

Hayden began by asking this question regarding cybersecurity, “why is it still, still so hard?”  If that sounds like too many ‘’stills’, Gen. Hayden noted that he added the second “still” to the question about four years ago and suggested there should probably be another added to read, “why is it still, still, still so hard?”  Hayden believes a driving factor for this difficulty is that though there are a lot of bright people working on cybersecurity,  “The faster we go the more behind we get, so that on a good day it is not any worse today than it was yesterday. We don’t seem to be getting ahead of this, so why is that?” 

To explore this in his keynote, Hayden quoted Richard Danzig, former Secretary of the Navy:

“Digital technologies, commonly referred to as cyber systems, are a security paradox: Even as they grant unprecedented powers, they also make users less secure…. cyber systems nourish us, but at the same time they weaken and poison us.”

Hayden emphasized this paradox in several ways: the very same thing that nourishes, poisons.  That which is good for business is bad for business. The thing that empowers simultaneously threatens.  “Thereby we begin to sense why this is still so hard and why progress is a bit slow,” determined Gen. Hayden, “Your military has probably done more thinking about this, earlier than American industry.”


Cyberspace is the New Domain of Warfare

To explain the national defense perspective on security, Hayden cited William J. Lynn III, who served from 2009-11 as Deputy Secretary of Defense. “As a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain of warfare,” Lynn had said, “Although cyberspace is a man-made domain, it has become just as critical as land, sea, air, and space.”   Hayden emphasized this point by explaining how it’s a domain, it’s a place, it’s a location; it’s an operational theater.  Hayden noted that the primary teaching point for the safety and security industrial control systems is shockingly simple, yet often misunderstood: The cyber space is truly a different environment. 

As Hayden described, the issue can be traced all the way back to the beginning of the Internet. The initial goal under DARPA which began as Arpanet was set forth with the work statement, “Build me something that allows me to move large volumes of data, quickly and easily, between a limited number of nodes, all of them I know and trust.”  Fast forward today and we see an environment that is dramatically more expansive and far more uncertain.


An Inherently Insecure Internet

What is the main point of that fact? “Security is an afterthought, security is not built in, it (the internet) was designed to be a limited transfer on a limited number of nodes, all who are known.” Hayden emphasized vehemently,  “Now we have turned that into a universe of almost limitless nodes, many of them we don’t know, and a whole bunch of them that should never deserve our trust.”  He explained that as it was built, the architecture was never designed protect user data, control systems, and data from bad actors, as the threat wasn’t initially foreseen.  As he stated bluntly, “Cybersecurity protection was never built into the Internet statement of work.”


The Three Types of Bad Actor

These “bad actors” in cybersecurity that Hayden referred to, were characterized in three main groups from most capable to least capable:

  1. Nation States
  2. Criminal Gangs
  3. Hacktivists

 “The bad news is the tides are coming in and all the boats are going up, so everyone is getting more capable.” Hayden stated metaphorically, “Those things we now associate only with mid-size nation-states will be within the reach of criminal gangs in a fairly predictable period of time.”

Historically the center of gravity for such criminal gangs in the cyber environment has been in the post-Soviet space, including Russia, Belarus and Ukraine. Hayden believes this was a “kind of natural” progression with a perfect mixture of poor economic activity, a talented and educated population, and genuine scientific capacity.  

The ‘Hacktivists’ Gen. Hayden described as a whole different animal, Characterizing them as “Activists, anonymous, talented, disaffected, socially retarded, living in their mother’s basements,” Hayden advised that this is a group that should concern industry.  For the other two entities, there is some level of predictability. Nation states actions can have military and economic consequences, while criminal gang actions are typically about the money and profit, and therefore the motives are generally straightforward and predictable.  The hacktivists, on the other hand, are disaffected, and as Hayden described,  “They can come after you simply because you are you, they come after you because and you are iconic.”  Gen. Hayden used the example of WikiLeaks to illustrate his point, explaining that when the Wikileaks controversy came out seven or eight years ago, it was discovered that users could contribute to WikiLeaks via PayPal.  PayPal subsequently took the account down.  Subsequently, hacktivists self-organized a retaliation and conducted a denial of service attack against PayPal.


Inside the Cyberthreats

These cyber threats come in many shapes and forms as well. Hayden characterized these primary threats:


This ability to create destruction in the physical space, is exactly what puts industrial control systems front and center. Industrial control systems can be manipulated to create physical damage and some may already be in the line of fire. Hayden reminded the audience of attacks such as Stuxnet, the Ukraine power incident, and others. These, he explained, were attacks during a time of peace, using a weapon comprised of ones and zeros, destroying critical infrastructure. Here, Hayden said, a threshold was crossed, “They unsheathed a weapon and it is not our species history to put those weapons back into the sheath.”


The Government Can’t Solve the Problem, But Can Help Lower Risk

Gen. Hayden concluded by explaining how businesses have to be responsible for their personal and business safety, in the cyber space. The government can help, but cannot not solve the cybersecurity problem.  Hayden did, however, offer several suggestions for organizations on how to do that.

“Organizations and individuals need to presume there will be a breach and have ways to identify the breach and sufficient resiliency to fight the fight, and continue operations,” explained Gen. Hayden, “If I can get any of the factors of the risk equation near to zero I have significantly lowered risk.”  The risk equation goes as follows:

Risk = Threat *Vulnerability * Consequences (of attack)

 “I think it is fair to say the history of cybersecurity has been in vulnerability reduction,” Hayden opined. Yet, as he explained,  “[Cyberthreats] are getting in, get over it” and so consequence management is vital.  Hayden emphasized that today’s businesses must learn to “Operate while penetrated, survive under attack”   The world might not be able to eliminate the cyberthreat from existence, but today’s industrial businesses can take proactive action to ensure that they are able to effectively respond and recover if a cyberattack does come.   

Related Articles

Did you Enjoy this Article?

Check out our free e-newsletters
to read more great articles.

Subscribe Now