Tommi - Fotolia

Former NSA chief wants private sector to take on cyberthreats

Protection against WannaCry ransomware and other cybersecurity threats could benefit from better leadership in the business world, former CIA and NSA head Michael Hayden says.

Cybersecurity should not be left completely to the military and intelligence agencies, according to former CIA and National Security Agency chief Michael Hayden.

In his keynote speech at the ZertoCON user conference in Boston last week, Hayden said the private sector needs to step up and do its part in stopping cyberthreats in the internet age.

"I see a lot of senior leadership running away from the cyber problem, especially in the private sector," he said. "[They say] 'I don't know that kind of stuff. That is too hard for me. I'll defer it to someone else.' That is not humility. Real humility requires senior leadership to step in and know that is their responsibility. It actually requires doing some homework, but it's their responsibility."

Hayden, a retired United States Air Force four-star general, co-chairs the Bipartisan Policy Center's Electric Grid Cybersecurity Initiative. He served as the director of the CIA and NSA under former President George W. Bush.

Hayden described how a hyper-connected, global world has coincided with the decline of centralized power among nation states. This high-risk world empowers substate actors and individuals looking to do harm, bringing us to this era of hacked emails and WannaCry ransomware.

"The post-industrialized era has pushed power to the edges and pushed power down," Hayden said. "I have seen it more dangerous [than now]. I have never seen it more complicated. And I have never seen it more immediate.

"We really are interconnected," he added. "This connectivity is at 12 knots an hour with a favorable wind."

Terrorism, transitional crime and cyberattack threats come from nonstate actors and products of technology connectivity.

"Let me tell you the big-picture problem," Hayden said. "Every free people have always had to balance their security, their liberty, their privacy and their safety. We Americans are blessed with two big oceans and neighbors who are weak and/or friendly. We've always been able to tuck ourselves up here near liberty and privacy. We never felt under threat."

I see a lot of senior leadership running away from the cyber problem, especially in the private sector.
Michael Haydenformer director of the CIA and NSA

Hayden said the classic risk equation is "Risk = threats x vulnerabilities x consequences."

"I can use it for ground combat," he said. "I can use it for aerial combat. I can use it for automobile insurance. We are using it this afternoon for cybersecurity. Most of the history of cybersecurity has been reducing your attack surface. Most of this has been in the McAfee kind of world. Most of this has been about firewalls. Most of this has been about [software] patches, cyber hygiene. Most of this has been about password discipline. The history is protecting the perimeter. The history is 'Don't let them in.'"

Hayden said focusing on vulnerabilities will tackle 80% of the cyberthreats, but it does not guarantee success, because a persistent attacker will get through to a system.

"The current energy, and I mean the entrepreneurial and technology energy when it comes to cyber-risk, is in consequent management," Hayden said. "It's the presumption of breaches. It's about resiliency. It's about recovery. It's about backup preparation."

Hayden suggested insurance for cyberthreats as a way to bring the private sector more into mitigating cyberthreats.

"Cyberinsurance may actually be a good mechanism to raise the water level of cybersecurity here in the United States because cyberinsurance creates a business case, as opposed to a regulatory case, for better cybersecurity," he said.

Next Steps

Ransomware issue reveals GDPR vulnerabilities

Ransomware data security awareness more important than ever

How object storage can protect against cyberthreats

Dig Deeper on Cloud backup