Former head of the NSA and CIA Michael Hayden sat with with Fifth Domain Aug. 20 to discuss cyber in the Trump administration, threats from Russia and China, Facebook and the issue of hacking back.
The transcript has been lightly edited for clarity.
FIFTH DOMAIN: I first wanted to ask about America’s cyber strategy. What are the things that you see the Trump administration doing right in cyberspace, and what are the things they are doing wrong and need to work on?
MICHAEL HAYDEN: I thought they picked a very strong team originally with Tom Bossert and especially Rob Joyce. And, if you recall, as we went through the first three months of the administration in what I would call “executive order hell,” the executive order on cybersecurity was patient, thoughtful, measured and broadly cooperative. They put drafts out, invited comments and so on. All good things. And then when John Bolton became national security advisor, he fired Bossert and then Joyce left within a week or so. And then by in large the positions have been abolished. I mean you don’t have the dedicated structure you had before. That worries me a lot.
Now look, I’ve heard from some people who are very smart, informed and well intended. There may be less to what I just said than meets the eye, that there are a number of folks on the National Security Council who are cyber smart, and so on.
But, boy, you had two good people; boy, you had a structure; boy, they seemed to have been performing pretty well; and now I don’t see much. So that’s one effort.
The second, this is an administration far more comfortable with American industry than the Obama administration.
I mean it’s a business-friendly administration, it just is. In the cyber realm, that also gives me reason for hope. I do think our core line of defense in defending American information networks and operating systems is the private sector. So a government more inclined to let the private sector go, cooperate with the private sector, I think intuitively might have more opportunities than one that is distrustful of the private sector, not all that enthusiastic about the profit motive and inclined to regulate. It’s a difference in tone. But given the importance of the private sector for what we are talking about, I thought this might open up opportunities.
So you asked for good news. So, in column one, I was happier three months ago than I am now, or four months ago when Bossert was fired and Joyce left. In column two, I had some hope, although I have not seen a whole lot of delivery because, I mean, the administration is just inefficient.
There is no process. I mean, in the Bush administration, in the Obama administration, I could point to something to say, “This is the American cyber plan.” And then I could argue about it. I can’t do that here yet. I am just not sure what the direction is. I did understand it when Joyce and Bossert were there, because I read the executive order and, I’ll get the details wrong, but around the time Joyce and Bossert were fired they were about to have some public meetings on cyber strategy. All those were cancelled. So we are kind of left hanging here.
The third area — it’s very recent, but there have been press accounts and that’s all I’m basing this off of — is that the administration wants to adjust PPD 20.
FIFTH DOMAIN: Yes, a White House official told me the same thing.
The Trump administration kicked off a new era of government cyber operations by “rescinding” a presidential directive that had restricted offensive capabilities, an administration official told Fifth Domain, but experts warned the move would not be sufficient in detering state-based hacking.
HAYDEN: That’s ok. I’m interested in that. [Adm.] Mike Rogers and [Gen.] Paul Nakasone have both talked about the need for robust cyber deterrence. In other words, holding at risk things that other people hold in value. And Bossert and Joyce had no enthusiasm for that at all. But you see this movement in that we are going to increase the cost to other people if they do cyber damage to the United States. I am choosing my words carefully here, that is not saying better cyber defenses, that is saying cyber defenses are really hard and therefore we need to convince people it’s a bad idea in the first place. So I look upon this as a very interesting development.
Both Rogers in his last testimony to the Senate and Nakasone in his confirmation testimony talked about this in, I think, fairly clear ways. I wrote an article about it. It appeared in the Hill, they are pushing for creating the policy and legal structure to do things in the cyber domain above the threshold of routine espionage but below the threshold of armed conflict.
FIFTH DOMAIN: So this would kind of implies that Nakasone and these division heads are forging cyber policy absent a direction from the White House. Is that an accurate representation?
HAYDEN: Well, I would meet you halfway and say it looks as if the intellectual development of a way forward is really centered at Ft. Meade rather than the White House. But Ft. Meade can’t do anything until they have a policy agreement. I need to emphasize this. Obviously, what I just said is a truism for everything. But it’s an absolute truism for cyber. And my experience tells me that using a cyber weapon in the 21st century was like suggesting using a nuclear weapon in the 20th.
FIFTH DOMAIN: That still requires this approval, this top of the food chain approval?
A senior Defense Department official described the current administration's cyber policy as “a potential catastrophe” because cyber briefings are missed or not taking place altogether.
FIFTH DOMAIN: When I first reached out to you, what I was interested in talking about was China, because as a journalist and yourself, an intelligence official, I like to deal in counterfactuals and trying to question hypothesis. So now in the news everyone is talking about Russia. But is Russia the real long-term threat to the U.S. in cyberspace, or is it really China? What threat do they pose and is the U.S. reacting to that in a way that is successful?
HAYDEN: I’ll parse it out at two levels. One is just the overall question of China and Russia, and then the cyber realm. Let me start with the overall question. In all my public presentations, I am pretty adamant about this: China is a surging power; Russia is not. Russia is a revanchist power. I talk about the real limits of Russian power and what makes Russia dangerous is they know their limits. They know time is against them. They know that history is not on their side. And, therefore, Russia might embrace short-term risks because they know, in the long term, their economy and their political system can’t sustain.
The Chinese think their economy and their political system are the model for the 21st century. So what you’ve got is an aggressive but under-confident Russia, and a confident and maybe at times dangerously confident China. So that’s the macro, geostrategic question.
At the specific cyber, the bumper sticker that I use is that the Chinese have scale and the Russians don’t. So at the level of cyber problems, what strikes you about the Chinese is the mass of effort. What strikes you about the Russians is how they can be so high-end when they want to be. And I would suggest there are two different flavors of threat. For the Chinese, the threat is cyber.
I’m sorry. I’m talking you through a theological model, but it’s how I think about it.
It is cyber espionage of American secrets — military or industrial — which is very aggressive and very extensive. And the other is cyberwarfare in the sense that China knows we are an information-based military. We get our combat power our of precision, not out of mass. And precision is enabled by information. If they can deny us information, they deny is precision, and we do not have mass to fall back on. Does that make sense?
So you have got Chinese peacetime espionage and then Chinese wartime cyberattack to deny America information dominance. That’s China.
The Chinese government is matching its aggressive cyber skills with an ambitious Belt and Road Initiative.
The challenge from Russia is not the narrowly defined cyber challenge; the challenge from Russia is the information challenge. So I tell a story, Justin. When I was a commander down in Texas, down at the Air Force Intelligence Agency, we were on the cutting edge of cyber domain stuff. And we had a knock-down drag-out fight as to whether or not we were in the cyber business. Cyber dominance or information dominance?
With cyber dominance being computer network attack and defense exploitation, whereas information dominance included cyber activity, but also included public diplomacy deception and so on. And we argued about it, and finally decided we are in the cyber business. No. 1 because that was hard enough. And, No. 2, you can’t really be in the information dominance business for very long in the United States without having policy, legal and even constitutional questions. You know.
FIFTH DOMAIN: [laughs]
HAYDEN: Seriously. And the way I tell the story is we decided door No. 1, and that’s why we have a cyber dominance, and that is why we have a Cyber Command. The Russians went to door No. 2. And their approach is a broad information approach, which is all about fake news, Russian bots, the internet research agency, trolls and so on. And so when I talk about the cyberthreat from Russia, I quickly redefine it as the informational threat. Whereas with China, I pretty much stay in the cyber lane.
FIFTH DOMAIN: So given that there are these two different models for what the threats to America are, can the U.S. respond to both countries at the same time, or are they mutually exclusive? By combating one, do you become more susceptible to the other?
HAYDEN: They are additive. The techniques that might not be best for one might not be the same for the other. So, for example, Chinese questions in the cyber lane, other than that question of deterrence, I don’t know if we have a lot of really high-end, philosophical questions to solve. With the Russia problem we do. I mean, that’s why you have the arguments with Facebook and Twitter and YouTube, and state election commissions. It’s a more complicated, broader problem requiring more actors to synchronize their work than simply preventing the Chinese from stealing Lockheed Martin’s designs.
The National Risk Management Center is supposed to provide a centralized home where companies and local agencies can go to for cybersecurity issues.
FIFTH DOMAIN: You mentioned that the Trump administration is working closer with businesses. And, obviously, we’ve seen that with the Department of Homeland Security and the Risk Management Center. But I wonder if the relationship the government has with Facebook and Google, if that has to change at some point. If they have to be regulated, because the Obama administration was famously very tight and close with these folks from Google and Facebook. Do you think that government’s relationship with these companies has to change to combat the information threat?
HAYDEN: Yeah, I do. And when Mark Zuckerberg was up there testifying and people asked my thoughts on it, the way I chose to express myself was as kind as I could be, because I don’t think there are any evil people involved here, but what I said was, “Here is a classic example of ambition and technology getting out in front of law, policy and norms.”
You see the three things there: law, policy and norms, not all of them are compulsory. We were in a bad place because we didn’t have laws, policy and norms to reign in the ambition or the technology that we had created. We saw the dark side of that in the 2016 elections and other things that have followed. So, one way or the other — law, policy or norms — we are going to have to change how we do this.
FIFTH DOMAIN: So what should the response be when it comes to the legal and the policy aspects? One options is when you talk with executives from CBS, for example, they argue that Facebook should be opened up to the same libel laws that they are. I’m just kind of throwing out ideas, but do you have any concrete ideas?
HAYDEN: Sure, one is they should certainly be opened up to the same sort of political campaign laws that broadcast media is. That’s an easy one. Second, by law policy or norm, they should be required to eliminate artificial stimulation in their network. And by that I mean botnets to a level of confidence I think we can all agree would be sufficient, not perfect. They can tell when something is trending because of human beings, or they can tell if it is trending because of machines. They have the technology to identify it, stop it, so that they artificial stimulation of social media is reduced. Those are two absolutely concrete things.
FIFTH DOMAIN: Some folks would say, look, America is being picked apart in cyberspace and particularly when it comes to contractors, when it comes to banks. One much debated option is allowing hack-back in some form, whether you want to control it or not. Do you think that the hack-back idea for firms is a way to deter these threats in cyberspace or is there a different option that can better protect America from, the assumption is, being picked apart?
A new book has added to a long-running debate regarding whether a company should be able to retaliate in cyberspace.
HAYDEN: So the whole theological doctrinal debate going on now about cyber deterrence with Rogers and Nakasone, is actually an attempt to preempt what you just described. So that is one. Two, I am willing to tease that thought that you just put out there more than most people with my experience. Most people with my experience immediately go into vigilantism and the [inaudible] incident and just go off.
I keep saying, let’s think about this a little bit. What do you mean by hack-back? How about we just begin to work with active defense? And are you really saying that no one is allowed to do anything beyond their own firewall? Might there be some actors, not everyone, who can do some things, sometimes beyond their own firewall?
I give an example. I am on the cyber board of the Commonwealth Bank of Australia. The Commonwealth Bank is one or both ends of over half of all banking transactions in Australia. It used to be the federal reserve. And, so, I just lay it out there saying: What do you think? Might the Australian government, given how big and important this bank might be, want to give them a little more headroom than you might want to give to Fred and Ethel’s bank out in Alice Springs? And so I am not reflexively dismissive, but I am cautious.