Saturday, November 07, 2009

Notes from Talk by Michael Hayden

I had the distinct privilege to attend a keynote by retired Air Force General Michael Hayden, most recently CIA director and previously NSA director. NetWitness brought Gen Hayden to its user conference this week, so I was really pleased to attend that event. I worked for Gen Hayden when he was commander of Air Intelligence Agency in the 1990s; I served in the information warfare planning division at that time.

Gen Hayden offered the audience four main points in his talk.

  1. "Cyber" is difficult to understand, so be charitable with those who don't understand it, as well as those who claim "expertise." Cyber is a domain like other warfighting domains (land, sea, air, space), but it also possesses unique characteristics. Cyber is man-made, and operators can alter its geography -- even potentially to destroy it. Also, cyber conflicts are more likely to affect other domains, whereas it is theoretically possible to fight an "all-air" battle, or an "all-sea" battle.

  2. The rate of change for technology far exceeds the rate of change for policy. Operator activities defy our ability to characterize them. "Computer network defense (CND), exploitation (CNE), and attack (CNA) are operationally indistinguishable."

    Gen Hayden compared the rush to develop and deploy technology to consumers and organizations to the land rushes of the late 1890s. When "ease of use," "security," and "privacy" are weighed against each other, ease of use has traditionally dominated.

    When making policy, what should apply? Title 10 (military), Title 18 (criminal), Title 50 (intelligence), or international law?

    Gen Hayden asked what private organizations in the US maintain their own ballistic missile defense systems. None of course -- meaning, why do we expect the private sector to defend itself against cyber threats, on a "point" basis?

  3. Cyber is difficult to discuss. No one wants to talk about it, especially at the national level. The agency with the most capability to defend the nation suffers because it is both secret and powerful, two characteristics it needs to be effective. The public and policymakers (rightfully) distrust secret and powerful organizations.

  4. Think like intelligence officers. I should have expected this, coming from the most distinguished intelligence officer of our age. Gen Hayden says the first question he asks when visiting private companies to consult on cyber issues is: who is your intelligence officer?

    Gen Hayden offered advice for those with an intelligence mindset who provide advice to policymakers. He said intel officers are traditional inductive thinkers, starting with indicators and developing facts, from which they derive general theories. Intel officers are often pessimistic and realistic because they deal with operational realities, "as the world is."

    Policymakers, on the other hand, are often deductive thinkers, starting with a "vison," with facts at the other end of their thinking. "No one elects a politician for their command of the facts. We elect politicians who have a vision of where we should be, not where we are." Policymakers are often optimistic and idealistic, looking at their end goal, "as the would should be."

    When these two world views meet, say when the intel officer briefs the policymaker, the result can be jarring. It's up to the intel officer to figure out how to present findings in a way that the policymaker can relate to the facts.


After the prepared remarks I asked Gen Hayden what he thought of threat-centric defenses. He said it is not outside the realm of possibility to support giving private organizations the right to more aggressively defend themselves. Private forces already perform guard duties; police forces don't carry the whole burden for preventing crime, for example.

Gen Hayden also discussed the developments which led from military use of air power to a separate Air Force in 1947. He said "no one in cyber has sunk the Ostfriesland yet," which was a great analogy. He also says there are no intellectual equivalents to Herman Kahn or Paul Nitze in the cyber thought landscape.

5 comments:

Gunnar said...

"The rate of change for technology far exceeds the rate of change for policy"

True, technology will always race ahead of security, but security can get much better at being fast followers. There is a lot of 1995 security architecture out there.

Scott said...

"He also says there are no intellectual equivalents to Herman Kahn or Paul Nitze in the cyber thought landscape."

Richard, that was his response to the question I had asked him regarding the lack of strategic planning given that we are at war today... we were really good at it during the cold-war era, where generations of administrations and people carried through on planned goals and objectives (define and shaped by people like Kahn/Nitze). My takeaway from his response was that we haven't matured to the level where that kind of long-term planning is possible. Do you concur with his assessment? I see this lack of strategy as a political problem (something beyond a Presidential term) as much as anything else. Our enemies have very clear and publicly articulated strategies... why don't/can't we?

Marcus J. Ranum said...

Sounds like the usual squishy cyber-song-and-dance routine: intelligence operations are now cyberintelligence operations. Big flippin' deal.

Adding computers to the mix does not greatly affect the military, intelligence, or strategic landscape -- but it sure is a nice line-item for budgetary purposes.

Clive Robinson said...

A couple of points,

Firstly,

"Gen Hayden asked what private organizations in the US maintain their own ballistic missile defense systems."

I hate to disagre with such an august man but it is the wrong question historicaly and currently.

If you look at the history of "land armies" you will find that the "standing army" was the Kings body and castle guard etc. The King further expected those with land to likewise maintain a small standing force of guard and knights etc.

Should a national conflict arise the rest of the army when mobalised was provided by the "commeners". In England it was a requirment that each man practiced with the long bow ever week etc.

Private armies or regiments for defending a nation still exist or did and are recognised via "The Duke of XXXX Regiment" etc. Some such as the "Skinners" where originaly raised by "guilds men" (in this case the Worshipful company of Skinners in the City of London).

As far a Cyber Security is concerned we are not even currently close to the middle ages of King's and Courts going off to fight wars in forign lands. We are still in the tribal ages where there was no concept of nations when warfare was little more than teritory disputes settled at the point of a spears and arrows with flint tips, or by criminal activity (pillage/plunder etc).

Even at the current rate of "Cyber progress" (1month ~= 2years of human progress) we are still some way off of Cyper Nationhood so the concept of "National Deffense by MAD" for which ICBMs where developed is some way off yet.

So to answer the question,

"why do we expect the private sector to defend itself against cyber threats, on a "point" basis?"

Our cyber world has not developed beyond tribesmen currently so yes the do have to look out for our selves.

Secondly,

The point about politicos and intel officers and the way they think, is spot on.

The mindset of IT Infrastructure and Security personel is akin to that of Intel Officers and the mindset of business execs is that of politicos.

I and others have been banging on for some time that "Speaking Geek Unto the Man that Cuts the Cheque" is not the way to achive success in the organisation. It is as ludicrous as the tourist talking in English to a Spanish shop keeper, just saying the same only louder will not get you anywhere other than anoying the shop keeper and making you look stupid in his eyes.

IT staff need to speak the language of "The Man" which is "business". Although I do not think an MBA is a requirment for a team leader (a business diploma would be helpfull though) it is a requirment to enter Walnut Corridor on anything like equal terms.

One aspect of this "wrong language" is "metrics" IT metrics are a joke both to IT staff and Business managment as an industry we owe it to our future to sort it out.

Likewise taking the "Security = Deffense" mindset is an odds on loser with business execs. Have a look at how the military have and still get their appropriations out of politicos to see why.

We are seen as "Geeks" not "James Bond" and the "If you knew what I knew, but can't tell you otherwise I'd have to kill you" tactic is not going to work (trust me on this ;).

Nor do you have the "You scratch my back and I'll scratch your back" pork kickback card to play.

But if you think about it you will realise that a "Security = Quality" mindset will get you a lot lot further and in reality the vast bulk of what we do is actually a quality process in all but name. But importantly most (non manufacturing) business execs although not understanding "quality" do know that it brings business advantages and improves performance of the organisation which is what the "share holders" want.

Richard Bejtlich said...

Hi Clive,

I really appreciate the historical references. Cool.

About "security = quality", I don't agree. Security could equal quality if we managed factories creating products. As soon as you introduce an intelligent adversary that mindset breaks down.