Former CIA Director Michael Hayden Discusses the Cyber Risks of Yesterday, Today and Tomorrow

By Michael D. Selfridge, Chief Banking Officer, First Republic Bank
September 20, 2016

As a former head of both the National Security Agency (NSA) and Central Intelligence Agency (CIA) under Presidents Bill Clinton, George W. Bush and Barack Obama, retired four-star Air Force General Michael Hayden acquired a vast knowledge of the new era of cyber warfare. After two fascinating presentations hosted by First Republic, we sat down with General Hayden for his thoughts on recent cyber attacks, the need for expanded government and private sector collaboration and keeping the nation safe in a world of increasing threats.

"The private sector will win or lose the cyber war, not the government, so the government needs to develop a new relationship with industry."

What cyber risks do you see as we head toward the presidential election in November? 

There are two periods of policy vulnerability in the American political cycle: six months before the inauguration and six months after it. During the 2008 presidential election, our great fear was that the Israelis would bomb Iran because they thought they could get away with it during the change in administration. And the new risk is a cyber attack to influence the election, like releasing a new batch of Democratic National Committee (DNC) emails. That's why people talk about the October surprise. 

It's a common belief Russians were behind the theft of the DNC emails. How should the United States respond to the hack and release of this information? 

Russians stealing the DNC emails is an honorable act of international espionage.  That was a shame on us, not a shame on them. What's far more serious than the espionage is using this information to affect American political practices. When this happened, a lot of people asked me what I thought we should do in response. You don't respond to the specific act in isolation; you put it in the bundle with all the other stuff the Russians are doing. The response might be to sell TOW missiles — tube-launched, optically tracked, wire-guided missiles — to the Ukrainians or put pre-positioned equipment in Estonia for an American-armored brigade. 

Some people have called the Chinese government our greatest cyber threat. Is the U.S. at risk of a new cyber cold war with them? 

China's behavior has gotten marginally but measurably better. They're stealing less information than they once were. Last April, President Obama issued an executive order saying we're tired of this, and if it continues, we're going to respond – but not necessarily in the cyber domain. We haven't pulled the trigger on that Order, but I like it. In September, Chinese President Xi Jinping agreed with our definition of espionage, and he signed a communiqué acknowledging that legitimate state espionage does not include stealing for economic advantage for national industries. It might be the beginning of a realization that China doesn't want to live in world of unrestricted piracy. 

Traditionally, the notion of "mutual assured destruction" has been a deterrent to armed conflict. Is this concept transferable to the cyber sphere? 

Deterrence in the nuclear era was based on attribution and retaliation – you knew who committed the act. Deterrence in the cyber era doesn't work in the same way. Today, deterrence is based on resilience, meaning your ability to detect an attack or recover from an attack. 

Should the government ever contemplate a physical attack in response to a cyber attack? 

Absolutely. And that is our national philosophy. We do not respond to an attack based on its means, but on its effect. 

On a personal note, did you ever envision that you would hold all the positions you did, from being a four-star general to head of the CIA? 

I don't have the background of someone you'd envision holding the roles I've had. I was born in Western Pennsylvania, I went to parochial school, my dad was a welder and I walked to college. I remember sitting in the Situation Room and having President George W. Bush look down at me and appear to be making eye contact as he asked a question, and I assumed he was speaking to the subject matter expert behind me. But I turned around and there was no one behind me. 

You served as an advisor to President George W. Bush and to President Obama in the first six weeks of his presidency. What was that like? 

President Bush had a lot of time for intelligence, and he was incredibly interactive. President Obama was smart and well-read but not interactive at all. Let me add that Hillary Clinton got to the bottom of the page faster than anyone I briefed. 

Barring unforeseen circumstances, either Hillary Clinton or Donald Trump will be the next president. What would you advise them in terms of cyber security? 

The business community is often deaf to any form of regulation, even those that promote greater protection in cyber space. The Republican base is pushing back because they want the government out of their lives altogether. The Democrats push back because of Fourth Amendment or “Big Brother” concerns. I would advise a Republican president to walk across Lafayette Park and speak to the head of the Chamber of Commerce and say, "It ain't your night, kid," and tell him we need to be implementing important cyber protections. I'd tell a Democratic president to call the ACLU and say, "I love you like a brother" but we have to go do some things 

Was it reasonable, then, for the federal government to ask Apple to open the phone of terrorist Syed Rizwan Farook for them so they could see his emails and messages? 

I think it was absolutely within constitutional rights for the government to ask Tim Cook to break his own encryption and open up the iPhone of a terrorist. It just wasn't smart of the government to ask him. The next president has to kiss and make up with Silicon Valley. The private sector will win or lose the cyber war, not the government, so the government needs to develop a new relationship with industry on this matter. 

What have been the ramifications of the lack of cooperation between government and industry? 

Twitter has a data mining tool which has a powerful algorithm that allows you to monitor broader trends, like seeing that people are assembling in a way that might indicate growing public unrest. Twitter would not provide that tool to the American intelligence community, even though businesses can buy it, because of their concern about getting too close to the government – a byproduct of the Snowden Leaks incident. In this era, the winning hand is for government and industry to work closer together. 

Can that happen? 

I won't go into details, but when I was director of the National Security Agency, American industry voluntarily worked together with me in ways that I never would have had the courage to ask them for. So, I am hopeful.

The information and opinions in this article are presented as-is.

©First Republic Bank 2016