Edward Snowden has likened Gen. Michael V. Hayden to Voldemort, the Dark Lord of the Harry Potter novels, and while that makes Hayden chuckle, he has no kind words for the former N.S.A. contractor, who he says “has done great harm, with almost criminal indifference to its consequences.”
On the other hand, The New York Times once called Hayden “the thinking man’s spy,” and that characterization seems apt.
“There is genuine evil in the world, but you do not have to impute evil to everyone who is your adversary,” Hayden says. “The intel guy has a special role because the policy guy will always point to the evil. The intel guy can have a different perspective. I say publicly that I don’t think the deal with Iran is going to work, but I don’t have to demonize the Iranians.”
When Hayden speaks, the C-suite listens, because he has a resume that demands attention and respect: director, Central Intelligence Agency (2006 – 2009); first principal deputy director of National Intelligence (2005 – 2006); and director, National Security Agency (1999 – 2005).
For chief executives who still think cybersecurity is a matter best left to their technical staff, Hayden has a simple message: think again.
“I sit on a lot of boards, and I always start by asking, ‘Do you have an audit specialist on your board? Of course you do. Then why don’t you have a security expert?’” Cybersecurity, he asserts, is no longer just about technology. “This is about governance,” he says.
Interviewed at the Washington, D.C., headquarters of the Chertoff Group, where he is a principal, Hayden is affable and candid, with a folksy manner that belies his decades of service at the highest levels of military and intelligence service.
Hayden says the popular conception that the Web was once safe and has become dangerous is wrong. Yes, it’s true that back in the early ’90s, when the World Wide Web and the Mosaic browser first made the Internet accessible to ordinary mortals, cybercrime was novel, rare and primarily the pastime of bright young men with poor social skills. Yes, today every organization, every site of any significance, is under constant attack from multiple weapons wielded by diverse actors. But that vulnerability is not by accident; it’s by design, Hayden says.
“It’s not that it was good and then it got bad; it was built bad,” he says. “Now before my good friend Vint Cerf starts sending me nasty e-mails, let me elaborate. This thing was invented by Americans, pretty much by Vint Cerf at Stanford, and he will tell you the statement of work was ‘How do I move large amounts of data between a limited number of nodes, all of whom I know, and all of whom I trust?’ There was no requirement for security. Security at that point would have been like saying I need a locked door between my kitchen and my dining room. Now what became of this limited architecture, then known as Arpanet, which linked up a few universities and a few labs, is it took off. The problem is that its architecture implies trust. Security is not baked in, it’s not made to be defended, and now you’ve got the World Wide Web, with limitless nodes, most of whom you don’t know, a bunch of whom you shouldn’t trust, and they’re coming at you.”
Hayden doesn’t speak fluent Fortran, and while college students can now major in cybersecurity, the former N.S.A. chief earned bachelor’s and master’s degrees in history from Duquesne University. (He also did postgraduate work under the Defense Intelligence Agency’s training program.) But he is proud of his liberal arts background, which he says helps him frame complex issues in human terms. It may also account for a colorful use of metaphor, like his description of the World Wide Web.
“I’m a liberal arts major; if I get too far into technology I’ll be making things up,” Hayden says by way of introduction. “I went to London in the ’80s, and I found Soho, and Soho in the ‘80s was pretty raw. It was art, it was dance, it was theater, it was drugs, it was drunkenness, it was prostitution. That’s today’s Web. And yet there were other sections of London at that point in time that were very safe, far less interesting, actually kind of dull, but very safe. We can do that.”
Ever since it became apparent that today’s Web is anything but safe, there have been proposals for a do-over, or a parallel Internet that would incorporate in its design the security this one lacks. One of the most prominent, appropriately based at Stanford University, is the Clean Slate Program, which its creators say will apply the school’s “depth and breadth of expertise to explore what kind of Internet we would design if we were to start with a clean slate and 20-30 years of hindsight.” David Clark, a senior research scientist at the M.I.T. Computer Science and Artificial Intelligence Laboratory and a leader in the development of the Internet in the 1970s, is now focused on a redefinition of the architectural underpinnings of the Internet, and the relation of this technology and architecture to economic, societal and policy considerations.
These and other future Internet projects all incorporate the built-in security lacking in the original, and test versions in varying states of completion are up and running at multiple sites. In contrast to today’s wide-open cyberspaces, based on trust, these safe nets are informed by a siege mentality. They assume constant attack by countless enemies, so they deploy encryption of mind-boggling sophistication, multiple password protocols and other protective measures too arcane for liberal arts majors to describe. Hayden says they will be far less fun than the World Wide Web, and slower, because all of those security measures take time and create latency, that dreaded delay between the mouse click and the next page. But they will be very, very safe.
Hayden says he is confident that such a safe Internet will be available in the future, and that organizations and individuals will readily accept speed limits and a relative dullness in return for rock-solid security, just as many people choose to live in gated communities and other neighborhoods far less lively than Soho. “It will happen,” he says. But in the meantime, he counsels clients of the Chertoff Group that there is much they can do to make their operations safer on the Web we have now. “Clients need a way to understand their level of risk, so I start with a simple equation: Risk equals threat times vulnerability times consequences,” he says, drawing it on a page: R = T × V × C
Since this is a multiplication, the level of risk builds rapidly with any increase in one of the three variables. Each has no theoretical limit, and the best an organization can do is to measure and manage them. The most difficult to comprehend is threat, which has grown exponentially in the past two decades.
The individual hackers and pranksters who launched the viruses and worms that brought the early Internet to its knees never went away, and they have been joined by so-called hacktivists, terrorists of every stripe and simple opportunists. Organized crime is a player. State-on-state and state-on-corporate cybercrime are a growing concern, as highlighted by alleged Chinese intrusions into The New York Times, The Wall Street Journal and The Washington Post.
The risk of internal threats was brought home by the actions of Edward Snowden, the contract employee who leaked scores of classified N.S.A. documents to media outlets. “The best defense is knowing what your enemies are up to, before they know you know it,” Hayden says. “For today’s CEOs, there is also the challenge of figuring out who and where your enemies are.”
Ultimately, the identity and location of all potential enemies is unknowable, so most organizations focus on managing their vulnerability. This is the domain of firewalls, software products from companies like McAfee and Symantec, and enterprise-level solutions like Mandiant’s suite of tools and services to deter and contain cyberattacks. Organizations have deployed waves of cyberdefense, Hayden says, but even the most aggressively secured networks have gaps. Vulnerability management is essential, but “it operates in the past,” he says.
That leaves consequences, which occur in the present. Since intruders will penetrate even the best-defended systems, it is essential to contain those attacks and stop invaders from reaching the most sensitive assets. The challenge for today’s companies, which operate in a 24/7 online environment, is to develop comprehensive strategies to manage consequences without building barriers that get in the way of doing business, Hayden says.
Perhaps surprisingly, Hayden says he sees some innovative consequence management tools coming from the insurance industry, which is after all in the business of mediating risk. Insurers have become more adept at assessing cybercrime risks. “This is something government has been very slow and very poor at addressing, but we are seeing private industry step up to the plate very rapidly. We will see a lot more from that corner.”
The history of the Internet, and indeed of all technology, is that innovation proceeds far more rapidly than do policies and practices. The first personal computers in workplaces came in through the back door as employees sought to use these productivity multipliers in their work, leaving systems administrators fuming at the resulting chaos. 3Com’s Ethernet adaptors enabled networks of PCs, adding to IT woes, and laptops extended the enterprise beyond office walls. Smartphones took computing into the ether, and introduced an entirely new set of vulnerabilities. Today the innovation that has staff rushing to catch up is “the cloud,” which moves data and applications off local servers to far-flung service providers like Amazon Web Services, CSC and Rackspace. Cloud computing is a tremendous risk and a tremendous opportunity, Hayden says. Greater efficiencies, economies of scale, high-end services and—most importantly—reduced costs make the cloud all but irresistible to government and private enterprise. The move to the cloud now seems inexorable, a train that has left the station. But the concentration of data and computing power in cloud-based systems creates a tantalizing target for cybercriminals and rogue states, and entrusting vital resources to a third party creates potential liabilities for clients for attacks they cannot foresee or control.
“The stakes are high and the costs of a mistake particularly grave,” he says.
But Hayden also sees in the cloud a golden opportunity to build in some of the robust security lacking in the World Wide Web, even without an alternative Internet. “The transition to the cloud gives us a chance to change that flawed security paradigm,” he wrote in The Hill, a newspaper written for and about the U.S. Congress. “We can, if we choose to, build in more powerful security principles from the beginning as integral components of cloud architecture. Where more sophisticated and costly security solutions are too expensive for an individual user (or small network), they are more affordable when the costs are distributed among a larger group of users.”
Picking the right cloud provider is critical, but Hayden says that is within the capability of today’s IT staffs. “It means asking the right questions,” he says. “Where are you going to put my data? Will it be encrypted in storage? Will it be encrypted on the fly?”
While cloud customers need not understand the underlying technologies to use these services, any more than most automobile drivers understand fuel injection or electronic ignition systems, that does not relieve them of responsibility. Managers still need to take responsibility for the governance of data or services living in the cloud. ”The current generation of computer science graduates totally gets this,” he says.
But he adds that information security officers need more than technical chops. They have to see the problem from an enterprise preparedness standpoint, not just as a matter of compliance, and they need to understand the importance of external relationships. They need to appreciate that the organization’s reputation is as much at stake as its data. And they need to be able to communicate without resorting to jargon and hyperbole.
“The single most important qualification in a security recruit is the ability to speak English,” says Hayden. “If you cannot define and articulate the issues to laypeople, the technical ability alone won’t serve you.” In addition to communication skills, character is high on Hayden’s checklist of essential attributes. “I did the commencement speech at my alma mater, Duquesne University, a few years ago, as director of Central Intelligence Agency,” he says. “I told them that the more senior I got, the less I relied on any technical expertise and the more I relied on the things I learned from my parents and the nuns in Catholic high school.
When you get to a very senior position, it’s more about ‘should’ than ‘could.’ I told the graduates, ‘Everyone got here because they did things right. From here on out, your career is going to be governed by how you decide to do the right things.’ ”
Hayden says he and the other veteran intelligence operatives at the Chertoff Group bring to clients a level of firsthand experience and contextual understanding that is rare. “We have seen things that they have never seen; our body of experience is something they don’t share,” he says. “It allows us to give them a context that they can’t create for themselves. We were asked by a client once, as Hamas was lobbing rockets into southern Israel, ‘How safe is Jerusalem? How safe is the airport?’ And just by instinct I could say, ‘You’re O.K. now, but if these three things happen, call us.’ We know how things go down there. I won’t claim that I have the same kind of detailed tactical knowledge that I had my last days as director, but people like me can read through the headlines and the news.”
“There is genuine evil in the world, but you do not have to impute evil to everyone who is your adversary. The intel guy has a special role because the policy guy will always point to the evil. The intel guy can have a different perspective. I say publicly that I don’t think the deal with Iran is going to work, but I don’t have to demonize the Iranians.”
Hayden teaches two classes at George Mason University as a distinguished visiting professor, and he says many talented students are interested in pursuing intelligence work. “I tell them it’s very rewarding, very interesting stuff. You won’t regret it,” he says.
Of course, a certain popular cable TV series doesn’t hurt. Hayden says he never misses an episode of “Homeland.” “I love it. People say it isn’t accurate, and yes, almost everything in the foreground is wrong. But the stuff in the background, the tension, the sense of isolation, is absolutely right,” he says. “We got to attend the third season premiere, and I shook Mandy Patinkin’s hand. I said, ‘You know, I also used to play the director of the Central Intelligence Agency.’”
Insights to your inbox
Stay on top of the latest leadership news with This Week in Leadership—delivered weekly and straight into your inbox.