Making the case for the increased need of online security, former NSA director argues we need to choose between changing the internet and having two versions of it.
He began his career with a bachelor in history. One thing led to another and Michael Vincent Hayden retired as a four star general from an operational role in his intelligence career that culminated as chief of National Security Agency (NSA) between 1999-2005 and the 20th director of Central Intelligence Agency between 2006-2009. Speaking in Bucharest at a conference organized at the National Bank of Romania, the ex-NSA chief argued we need a more secure internet. You can play the audio file published on our SoundCloud account or read the transcript below:
“When I was commander of Air Intelligence Agency, in San Antonio, Texas, coming out of the Balkans, I was head of intelligence for all the forces in Europe. They gave me a lesson I’m gonna repeat for you. They said, general, think of this as a new domain, a location. You know, land, sea, air, space and…cyber. Why didn’t you said that, it’s a place in which you want me to operate.” – Michael Hayden.
The internet was designed by Vincent Cerf to be efficient, not safe, in transmitting informations from A to B.
“If you remember the origins of the Internet, it came out of a requirement of the Department of Defense, it came from something called at that time The Advanced Research Projects Agency. And Vint will tell, the statement of work was “how do I move large volumes of material, quickly and easily, between and among a limited number of nodes, essentially a few labs and some universities, all of whom I know and all of whom I trust”. And Vint and his gang at Stanford put together some things and wired some stuff up and created something they called the Inter Net. Limited number of nodes, all of whom I trust. Vint will tell you, we never thought about defense, we were just lashing up a few people all who knew one another and all of whom had implicit trust. Putting a barrier on that would be like putting a locked door between your kitchen and your dining room, why in gods name would you do that? The whole architecture of the house is designed to get the food from the kitchen to the dining room. So Vint didn’t put a locked door in the Internet.
The cyber domain I’m describing to you is the largest ungoverned space ever seen.
Now keep in mind the description: how do I move large volumes quickly and easily between and among a limited number of nodes, all of whom I know and all of whom I trust. This is still the architecture of the world wide web. That is still how it’s put together. Even tough it comprises an unlimited number of nodes, most of whom you don’t know and a whole bunch of whom don’t deserve your trust. But you and I think is so convenient…Me too I got my credit card out there, I got my bank account up there, I got my personal communications up there. Up there in that space that if it were in the physical world we would likely think of it as Somalia. The cyber domain I’m describing to you is the largest ungoverned space ever seen. We have the purpose of business, the purposes of commerce, of trade, for purposes of convenience, for purposes of art and for the purposes of freedom of expression a lot of other bunch of purposes you and I would keep in a drawer if not in a safe. But we put them up there in a domain that has all of the rule of law of that East African country. That’s why we got problems.
The three categories of digital sinners: the ones stealing your digital stuff, the ones destroying it and the ones using your digital stuff to destroy your offline posesions.
Now let me talk a little bit more about the problems, I’m gonna give you a taxonomy, here’s how I generally describe it. Ok, it’s a big deal and a dangerous deal, what’s going out out there? Well let me give you a list, this is Mrs Hayden list, what are the cyber sins and who are the cyber sinners. So let me start with the sins. The most dominant sin, the one that most frequently happens is simply someone out there is stealing your stuff. Cyber theft. Stuff as your private information, stuff as your PIN number, stuff as your credit card, stuff as your intellectual property. Practically speaking all of the evils we’re seeing out there on the web is someone stealing your stuff. Now there are other sins., there are not quite as prominent but you need to keep them in mind. There’s another group of offencers that I’ll call not theft but disruption and here either besides going to steal your stuff or in addition to stealing your stuff, somebody comes after your cyber network and then destroys your stuff. Georgia 2008. The Russian army, a multi division movement, moving towards Tbilisi and simultaneously in August 2008 according to public record, patriotic Russian hackers attacked the Georgian internet system with a distributed denial of service attack and bring it to its knees. The same way a year before the same patriotic Russian hackers attacked the Estonian internet system because the Estonian had the audacity to move a red army memorial from downtown Talinn to the outskirts of the capital. The Estonian internet system collapsed. More recently, almost certainly the Iranians conduct an incredibly vicious attack against Saudi Aramco (Saudi-Arabian company that exploits the biggest oil field) with something called Shamoon. And Shamoon destroys – not disrupts -, the information on 25,000 hard drives in Saudi Aramco. Now blessedly they were all in the administrative system, not in the operational system.
You know the 25,000 hard drives we most depend on? They got destroyed over the weekend
Whatever is you work, think of going back to work on Monday and have someone in the office come up to you and say “you know the 25,000 hard drives we most depend on? They got destroyed over the weekend” then you have a sense of the destruction. They say the Iranians come up for the American banks. Big American banks. In an Distributed Denial of Service Attack (DDOS) which is just pinning the banks with enough hits on the servers that the servers just collapses. They went after Bank of America, they went after Wells Fargo, they went after JP Morgan Chase with these DDOS attacks. I talk to the security officer at one of these banks and he said that in a normal business day their website, the public website, gets about 1500 hits a minute. That’s you and me trying to cash a check or something. At the height of the Iranian attacks they were getting 3 million. Which means you and I aren’t cashing any check.
So, stealing you stuff, disruption, and there’s a third category of offence out there, third category of sin, and that is actually destruction of physical stuff. It’s taking over a network and using that control to create destruction not down here, in the cyber domain, but creating destruction up here, in the physical space. And clearly the poster child for that is something called Stuxnet. Stuxnet was the attack against the Iranian nuclear facility at Natanz (town in Iran) and it destroyed about 1000 centrifuges at Natanz and everybody knows that this is a weapon comprised of ones and zeros.
This was a cyber weapon that went in and took control of the control systems down here and then issued orders up here for the centrifuges to spin at self destructive speeds while the monitoring systems down kept saying everything is normal. The first time the operators found out they got a problem there was things there go pop from the centrifuges hall. And about 1000 centrifuges are destroyed. Now, given my background, CIA, NSA, destroying 1000 centrifuges at Natanz is about the purest good I could describe for you. But let me just describe that event in just a slight different way. Somenon, almost sure of which a nation state or two, because this is just to hard to do from your mums basement, someone, almost sure a nation state, has just use a cyber weapon, in a time of peace I might add, to destroy what the other nation could only describe as their critical infrastructure. That’s a big deal. Someone has crossed the Rubicon. We got a legion now at the other side of the river. I was quoted in one book saying that I understand their destructive power is very different but this feels a little bit like August 1945 (Atomic bombings of Hiroshima and Nagasaki). Mankind has just used a new class of weapons. And if you check our species history, once you use a new kind of weapon, it’s really hard to kind of undo that. So those were the cyber sins. Stealing your stuff, disrupting a network or physical destruction. Very quickly who are the sinners.
Who are the sinners? Nation states, criminal hackers for hire and the disillusioned activists.
Nations states. They are really good at it. By the way, mine is. All right? I was the director of the NSA and for 4 intelligence purposes against legitimate intelligence targets we stole other countries information. That does not make us equals to the Chinese. The Chinese steal stuff too. We Americans do steal stuff, we do it to keep our citizens free and safe, we don’t do it to make our citizens rich. And that’s the difference between ourselves and the Chinese. Nation states steal stuff. Another group out there that steal stuff are criminal gangs. This are fundamentally guns for hire and frankly they pretty prominent in the post Soviet space. So you have an awful lot of very talented people working for whom whoever will pay them to go out and steal stuff or disrupt networks on behalf of other people. So, states, criminal gangs and the third group…I don’t have a good word for it and neither English or Romanian so bare with me…I’m gonna call them the disaffected. Anarchists, activists, how about that guy, Guccifer…
Not doing it for profit. The ability to do this stuff, to disrupt or to steal goes just I described to you. Nation states are the most able, then criminal gangs, then the least capable are the third group I just told you about. I’m really happy about that. Why? Cause nation states, they have to be responsible for their actions, actions have consequences, criminal gangs are a little less controlled but fundamentally they’re parasites. They’re living off their targets. And I don’t know an example in nature of a parasite that survives by destroying its host. So they will be bad but not catastrophic. I am worried about that last group though. The disaffected. You know, the 20 something, still in their pajamas and flip-flops and living in their mum’s basement. Who might be mad at the world. Who might have demands you and I don’t understand or really can’t meet. They are least capable but the said true is the ties coming in and all the boats in the harbor going up. Capabilities are rising for all 3 groups and it won’t be a long period of time before this group down here acquires capabilities we now associate only with criminal gangs or mid-range nation states. So then what happens? I give you one example. I told you about cyber weapon, about Stuxnet. What it did and how it was used. You realize, up here in physical space – you know: land, sea air-, if you use a weapon it pretty much destroys itself. Use a weapon out here, in cyber, and it lives forever. There’s a German fellow, Ralph Langner (TED video), he’s becoming a very good friend of mine. Ralph is the one who discovered Stuxnet in the wild. And Ralph is the one who deconstructed it. And explained how it all worked. And Ralph will tell you that 80% of the elegance of Stuxnet, the weapon, was in keeping it stealthy, not in the weapon. Now, if you are from the third category, how much interest do you have in keeping it stealthy?
80% of the elegance of Stuxnet, the weapon, was in keeping it stealthy, not in the weapon
I can’t predict the future, we’ll see what happens. All I’m trying to suggest is if you think is bad now, it won’t get better soon, in fact I’m almost sure it will naturally get worst.
With that happy thought, let me transition you to what should we do. If all would be happening up here, in the air or land, we all would say “well, get the government on it, they are supposed to protect us, that’s why we pay taxes”. The said true, born up by my experience, our governments are tied and bound. We will permanently be like this. We will fall short on protecting you down here by ways you were accustomed up here by your government. In my country, my citizens have not yet told my government what it is they want to do or what it is they will allow us to do down here to keep you safe.
All that Snowden stuff has made this debate even more still in the US. As this difficult was, getting our government on the field and protecting us down here, it is now doubly difficult and my congress will not enact legislation. I know you have, you have move forward, you have new cyber laws, you are looking for a role for government. God bless you, that is the right course of action. But even you will find it difficult to balance security and liberty, privacy and safety. My government is still (…) on that question. Is going to stay real unsafe for really long time. Don’t despair. The government isn’t the only thing that can protect you down here. I’ve been out of government for 5 years by now and I did a lot of things during my service to keep United States and it’s friends safe and free. But I have been amazed in my 5 years out of government in this particular issue, on cyber security, how much the private sector is doing. In my country’s tradition, if the government doesn’t show up, someone else shows up and says “hey, I could make some money doing this”. Private sector moving in. First thing I noticed is that the private sector as victim now gets it. The two American sectors that really gets it now are the financial services and the power industry.
Risk = threats x vulnerabilities x consequences
A new, safer internet or one that works in parallel with the internet we have now?
Remind I told you it’s a domain? Land, air, sea…cyber? Remember I told you I know who did this, who did that and what for? We did and we messed it up. We didn’t make it defendable .You know, since we build it, we can change it. The web we have now doesn’t have to be the web forever. Let me give you two examples. The one has to do with urban zoning. I’m sure many of you have been to London. I recall going to London in the eighties and walking around SoHo. It was wonderful. You got art, you got poetry, dance, drama you got literatures, you got drugs, you got prostitution, you got crime. SoHo in the 80s is today’s Internet. It’s wonderful liberating and kind of dangerous. At the same time of my visit to London I visited other parts of London. It appeared to me very safe. There were gated communities and fences and passwords and so on. That was an incredibly safe part of London. It was also incredibly boring. It is in our ability to keep today’s world wide web for all the cultural liberating self expression things that exists on it today and build another one where serious people like me and you can keep serious things. It won’t be as ubiquitous, it won’t be as convenient, it won’t be as fast, it will require two factor authentication. But it will be safe. There is no reason we can’t do that. Rather than make one web meet all needs…We’ll see. That’s one future. By the way, that’s actually kind of nice, I like that.
Let me give you another one that’s not so nice. There was a meeting 13 months ago in Dubai. The meeting of ITU (International Telecommunication Union). The ITU is making a move to take internet governance. Now, internet governance is pretty much a private-public partnership. And we Americans have a bigger hand in it than we will have tomorrow or the day after, it’s a smaller hand than we used to have a week ago, I understand. Governance of the web is becoming more global. But is not my government, it’s a coalition of the willing. The web really is a blessing being egalitarian, unitarian and free. Well, there is a group at Dubai who don’t worry about someone stealing your stuff on the web, that’s my lecture, they worry of the nature of the web itself. They don’t worry about internet theft, they’re worried about the freedom of internet expression. And at Dubai the Russians and the Chinese pushed very hard, supported by 50 or 60 other countries to take the barriers you and I are used to up here – you know, orders -, and drop them down here, in the internet. Pretty much you plug into this thing anywhere and it’s the same thing. Well they don’t want that, they want to separate the domains. The Russian and the Chinese because they want to control the flow of information. The other 50 countries is because they want to make money. If you don’t think this is real, Eric Schmidt, CEO of Google wrote a book last year about it called “The New Digital Age” I think and they are saying there we are in fast pace towards a digital visa. You will have to have the permission of the domain owner to enter the domain. If we don’t watch it, we could turn this web whose strength is ubiquity into Balkanized islands in which you need visas and passports to surf the web. We are already beginning to see digital residency requirements as governments around the world make demands that cloud service providers promise that the data will only be stored in their software space, now anywhere else. One of the darkest result of this Snowden affair it is that it has inadvertently strengthen the hands of those whose purpose is to destroy the internet as we know it.
We do not steal for profit, the Chinese do. The Chinese use the elements of state power to attack private companies. And I don’t care if you’re Google. If you are attacked by a powerful nation state…Only nation states can defend of other nation states.