Carnegie Mellon University
November 09, 2016

Key To Cybersecurity Lies Between Policy and Tech, Says Former CIA Director

By Mike Wereschagin

Key To Cybersecurity Lies Between Policy and Tech, Says Former CIA Director

The cyber domain – a man-made arena shared by nation-states, corporations, criminal gangs, lone hackers and law-abiding citizens – has rocketed beyond established policy and upended the idea that governments provide the first line of defense for their citizens, America's former spymaster told an audience at Carnegie Mellon University.

Retired Air Force Gen. Michael Hayden, the former director of the CIA and National Security Agency said that while policymakers struggle to understand this new area of operation – one that can be just as perilous as the traditional theaters of land, sea, air and space – private companies are installing themselves at the forefront of cyber-security.

“There is a massive gap between policymakers and technologically smart people,” said Hayden, a Pittsburgh native. “Now, we can wait two generations and allow the current crop of digital natives to replace the digital immigrants who are now governing our processes, or you all, in addition to mastering your technical skills, can actually master the language that would enable you to talk to people like me, people who make policy.”

The clock is ticking. As the public debates the limits of privacy and security, nation-states and their agents have weaponized the world's data and breached the wall between cyber and kinetic attacks, Hayden said. He highlighted the Stuxnet virus, believed to have been developed by the U.S. and Israeli governments, which destroyed thousands of Iranian centrifuges critical to uranium enrichment.

The damage done to Iran's nuclear program was “pretty much good news” in isolation, but the big picture gets more complicated, he said.

“Let me put it another way: Someone, most likely a nation-state, during a time of peace destroyed what another nation can only describe as critical infrastructure,” Hayden said. “This was crossing the Rubicon. This has the whiff of August 1945,” the advent of atomic warfare.

The dilemmas of the cyber domain – including suspected collusion between the Russian government and criminal gangs to use stolen Democratic National Committee emails to meddle in the U.S. presidential election – aren't getting any easier, he said.

“Most of the human beings on this planet who have easy access to (the internet) live in the parts of the world right now where the rule of law is strongest,” Hayden said. “Just wait a few more years when we wire the rest of our species.”

“Institutions like yours have a really important role to play” in building the social and legal architecture of the digital world, Hayden said of Carnegie Mellon.

That's in part because of the multi-disciplinary approach academia can bring to bear, said Kiron Skinner, director of CMU's Institute for Politics and Strategy in the Dietrich College of Humanities and Social Sciences.

“We must have an ethical, political, social, historical and cultural dimension to our training in cyber-security… We have to collectively begin to think about some rules of the road, rules of engagement, what kind of structures are going to be in place, what kind of norms ought to be developed. We're really in the very early stages of a new frontier,” Skinner said.

She added, “Having thought leaders like Gen. Hayden at the university helps push the conversation forward.”

That conversation can get a little unnerving at times, said Julia Adams, a sophomore majoring in international relations and politics. She singled out Hayden's prediction that Facebook founder Mark Zuckerberg will have more influence over the limits of privacy than the U.S. Congress.

Yet at the same time, it makes sense that private companies are taking a more prominent role in defining boundaries in cyberspace, Adams said.

There is this disconnect between elder policymakers and people who've grown up in the digital age, she said.

“That's why the private sector has been able to do so well. Because people of my generation and the generation before me are going into the private sector,” Adams said. “They're not going to help the government in the same numbers.”

Without that help, and without popular consensus on the appropriate extent of federal rule in the cyber realm, the government will continue to lag behind, Hayden said in an interview after the speech.

“The most powerful limiting factor right now is not talent or technology,” Hayden said. “The most powerful limiting factors are unresolved questions of law and policy.”

CMU’s Institute for Strategic Analysis, the Center for International Relations and Politics, and the Institute for Software Research sponsored Hayden’s talk.