JIM LEHRER: Next tonight: part two in our series on computer security.
NewsHour correspondent Spencer Michels interviewed a man who knows a lot about the subject.
SPENCER MICHELS: Michael Hayden has been watching the worlds of cyber-security and intelligence for decades. He’s a retired four-star general in the Air Force. And he served both as director of the Central Intelligence Agency and the National Security Agency.
Today, Hayden works as a security consultant and teaches at George Mason University. He spoke at the recent Black Hat convention on technical security in Las Vegas.
We caught up with him after his speech.
General Hayden, thanks very much for being with us.
GEN. MICHAEL HAYDEN (RET.), former CIA director: Well, thank you, Spencer.
SPENCER MICHELS: General, there is the debate going on in this countras to how serious the threat of a cyber-attack is. Some people say it’s really serious. Others say, well, it’s really not war and so forth.
GEN. MICHAEL HAYDEN: Right.
SPENCER MICHELS: Where do you come down on that issue?
GEN. MICHAEL HAYDEN: I’m reluctant to use the word war. I know some of my good friends who know this very well use that phrase.
Here is how I would choose to describe it. We have created this new domain, this new space called cyber, and, frankly, it’s lawless. There are no natural technical barriers up there to protect information. That’s why all of us are — kind of have to assume a personal responsibility for firewalls. I mean, when was the last time any of us have been asked to defend ourselves personally in any other space except the cyber-space?
SPENCER MICHELS: But is there a serious threat? And what is it?
GEN. MICHAEL HAYDEN: Because it is so anarchic, there are a variety of actors out there in this space that don’t have your best interests at heart.
There are state actors out there who are interested in stealing either state secrets or industrial secrets.
SPENCER MICHELS: State actors meaning countries?
GEN. MICHAEL HAYDEN: Other nations…
SPENCER MICHELS: Yes.
GEN. MICHAEL HAYDEN: … who are interested in doing their espionage thing. And, frankly, in cyber-space, some stuff valuable to you may actually be of interest to them in ways that none of us could imagine five or 10 years ago.
You have got anarchists out there who just want to destroy things. You have potential terrorists out there who just want to do harm. And then, finally, you have got criminals. I mean, the modern-day bank robber isn’t speeding up to a suburban bank with weapons drawn and notes passed to the teller. He’s on the Web taking things of value from you and me.
And they’re all taking advantage of what is essentially anarchy out there in the global network.
SPENCER MICHELS: Of course, espionage is one thing, but, actually, launching a cyber-attack, defeating the grid, the power grid, or the water system in a whole country, or shutting down their Internet, that’s an attack. That’s war.
GEN. MICHAEL HAYDEN: And that’s a good way of putting it.
We have kind of too facilely throw the label attack, cyber-attack, on a whole bunch of things from the American side. When we talk about cyber-activity in other places, when we say something is an attack, it means you have to have done something to somebody else’s network.
You have had to degrade his information, deny him access to information, corrupt his information, delay his information, or destroy his information, or destroy his network. That’s what we mean by attack in kind of the professional view.
SPENCER MICHELS: And is there a big threat of that?
GEN. MICHAEL HAYDEN: Of course. I think there is. All right? There are state actors out there who can do this.
SPENCER MICHELS: Well, we’re one of them, right?
GEN. MICHAEL HAYDEN: Actually, there was a survey done not too many months ago. They asked the citizens of some cyber-savvy nations around the world, who do you fear most in the cyber-domain? And, quite interestingly, we were number one.
The Chinese were a close second, but we were number one, which I think is simply a reflection that we are a technologically agile country, and we have very good intelligence services, and the rest of the world is kind of responding to that reality.
SPENCER MICHELS: So, have there been cyber-attacks? There’s been reports of them, the Israel-Syria situation, and Georgia and Estonia. Are those cyber-attacks?
GEN. MICHAEL HAYDEN: They are. And we have seen them. They have actually been fairly unsophisticated, the ones that I’m going to point out to you.
The cyber-attack against Georgia in 2008, the attack against Estonia, those were denial-of-service attacks. Those are kind of brute force attacks that just overwhelm a system, overwhelm a server and prevent access to Web sites.
I mean, those — they’re destructive, obviously, but I guess the point I would like to make is, you don’t have to be very sophisticated to do that, which makes it even more dangerous.
SPENCER MICHELS: What about an attack on a country’s infrastructure, as we talked about, or water supply, or electricity grid?
GEN. MICHAEL HAYDEN: Yes.
SPENCER MICHELS: Is that in the cards?
GEN. MICHAEL HAYDEN: They are — those kinds of systems that control these critical pieces of infrastructure, yes, they are vulnerable to attack.
SPENCER MICHELS: Is there a defense against a cyber-attack?
GEN. MICHAEL HAYDEN: By the nature of the Internet, the advantage goes to the offense. We have built the Internet in such a way that it’s very hard to defend it. It’s built on openness. It’s built on access. It’s built on agility. None of those things help the defense.
SPENCER MICHELS: Is it possible?
GEN. MICHAEL HAYDEN: It’s possible to make our targets less attractive than some other targets. It’s possible to make it more expensive for an adversary to do it. It’s possible to kind of push off the playing board many adversaries because we have made our defenses so good that they can’t attack us.
Can we make it so good that no one can attack us? Probably not. But we can reduce the chances of damage.
SPENCER MICHELS: Should the United States be negotiating to reduce these threats, when, in fact, the U.S. may be the strongest in this whole field?
GEN. MICHAEL HAYDEN: If you take the equation that we are the most cyber-capable nation in the world, it drives you towards one conclusion.
If, on the other hand, you admit that we have the most to lose in cyberspace, compared to the rest of the world, it might drive to you another conclusion. And that’s why I think we are beginning to see now General Alexander at Cyber Command, our own Department of State are beginning to suggest that it’s time to begin some international dialogue on cyber-questions.
SPENCER MICHELS: This is a very technical issue. Do you think that policy-makers who aren’t up to speed technically can actually make policy about this?
GEN. MICHAEL HAYDEN: Policy-makers can. Are they there yet? Probably not, some of them certainly not.
And that’s really the issue. The technology and the operational art of this thing in cyberspace is way beyond any of the policy lines that we have even begun to think about. Policy has to catch up. And that’s going to take a lot of work and a lot of conversations between tech-savvy people and policy-smart people.
SPENCER MICHELS: So, there are a lot of things that are really unknown in all this, it sounds like.
GEN. MICHAEL HAYDEN: Absolutely. Absolutely.
SPENCER MICHELS: And we have got a long way to go.
GEN. MICHAEL HAYDEN: We do.
I wouldn’t be discouraged. I mean, we are not far into this. Where are we, in our second real decade of cyber-domain being so ubiquitous? On the other hand, it’s growing so fast, we don’t have any time to waste.
SPENCER MICHELS: General Hayden, thank you very much.
GEN. MICHAEL HAYDEN: Thanks very much.