“The cyber domain looks like Somalia,” the former director of the CIA and NSA told a group of SAP customers, partners and employees Tuesday. “It is totally ungoverned — it has never been governed.”
|“If you have anything of value, you have been penetrated,” Michael Hayden told the SAP Retail Forum 2013 on Tuesday. (Photo by Rory Thomas O’Neill)|
And it is the most disruptive thing in human history since Europeans discovered the Western Hemisphere, Gen. Michael Hayden (USAF, Ret.) told the SAP Retail Forum 2013 (@SAP_Retail) during his keynote speech. Discovering the New World changed government, disease, language and even the way people think of humanity.
Cyber may even be the most disruptive thing since humans developed language, Hayden added, citing younger generations of digital natives. Their lifelong use of technology has changed the wiring in their brains, affecting cognition.
Brave New World
“You need to think of [cyberspace] as the New World,” Hayden said. “Don’t think of it as bandwidth or a budget line — your military thinks of it as a place.”
So much so that cyber is the fifth domain of warfare, alongside the old standards of land, sea, air and space. It has been since the Cold War.
But it was never designed to be secure, according to Hayden. Rather, the Stanford University team that created ARPA Net, which became the Internet, did so in response to a U.S. government request for something to quickly and easily transfer large amounts of data between a limited number of known and trusted nodes.
“Building security into the Internet would be like you going to your architect and saying, ‘I really need a locked door between my kitchen and my dining room,’” Hayden said. “There is nothing in the architecture of your house that suggests you need a locked door … because all of the architecture in your house is designed for you to get food from the kitchen to the dining room while it’s still hot.”
Since there’s no blocking the breakfast nook, Hayden offered an equation for companies and individuals wishing to appraise their exposure to cyber-attack:
Risk = Threat x Vulnerability x Consequence
Cyber defense has mostly been about reducing vulnerability, Hayden stated. But focus in the U.S. is shifting to managing consequence.
“If you have anything of value, you have been penetrated,” Hayden said. “You’ve got to survive while penetrated — operate while someone else is on your network, wrapping your precious data far more tightly than your other more ordinary data.”
A growing number of private-sector companies specialize in cyber threat intelligence, according to Hayden. They Web crawl, port scan and have foreign-born employees engage in overseas chat rooms so their clients can focus on the most likely threats, as well as their business.
Despite savvy ruses by bad actors around the world, such as spear phishing, the Internet is “quintessentially American,” Hayden said, given its egalitarian, ubiquitous and leveling nature, as well as its roots in the private sector.
“This may be the thing by which our civilization is most remembered, the way the Romans are remembered for roads and aqueducts,” Hayden said. “There’s tremendous opportunity, but be careful out there.”