Industry and Government Must Collaborate to Defend U.S. Cybersecurity, NSA Directors Say
Current and former National Security Agency officials stressed the importance of a collaborative public/private effort to secure the nation’s critical assets from cyberattack. Chris Inglis, NSA deputy director, and Michael Hayden, the former director of the CIA and NSA, both advocated such an approach Thursday at the Billington Cybersecurity Summit.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Though Congress has failed to enact cybersecurity legislation this year, Hayden said he’s optimistic that lawmakers are having a serious debate on the issue. Hayden described the Senate Cybersecurity Act (S-3414) as a “fairly well-developed concept” but said it’s clear that Congress won’t pass cybersecurity legislation this year. It’s quite possibly the “only piece of legislation in American history that is equally opposed by both the U.S. Chamber of Commerce and the ACLU,” he said. Nevertheless, Hayden said Congress has seized on the issue, and noted that the private sector has “really moved forward” to provide cybersecurity in the absence of federal legislation.
Hayden said there are some big ideas in cyberspace relative to privacy and security that America has not yet decided upon. In particular the American people have not given their government guidance on “what they want it to do or not to do with regard to cyberspace. … We have some rough edges in the physical space on how we want government to balance security and civil liberties,” he said.
The last thing the government should do is regulate or mandate the nation’s private sector cyberassets, said Inglis. To regulate and mandate certain practices is “never the first card to draw and never necessarily the right card to draw,” he said.
Ultimately the nation’s cybersecurity depends on a strong collaborative effort between the private and public sectors, said Inglis. The private sector makes “very rich” contributions to the nation’s cyberdefense, he said. “Companies have invested massively not just in the basic technology that created this environment, but in the security properties and resiliency that make it such that it is a defensible network.” The government can also contribute much to the nation’s cybersecurity he said: “Creating information sharing propositions or perhaps a transfer of intellectual property from the government to the private sector might be much more profitable,” he said. For instance, agencies like the NSA have a unique understanding of the nation’s vulnerabilities in cyberspace that it can communicate with private sector entities on the front lines.
It’s important for U.S. policymakers to prevent other nations from balkanizing the Web, Hayden said. “There are nations in the ITU who want to solve what they define as security problems on the Internet by destroying the Internet as we know it. To make it not universal, not ubiquitous, not the same for everyone. To actually balkanize it and carve it up in to different pieces. In other words injecting into this new domain the notion of sovereignty and borders and controls that we've grown accustomed to” in the other domains, he said.
The deployment of the Stuxnet virus against an Iranian nuclear facility has changed everything, said Hayden. It “reminds me of August 1945” when the U.S. dropped nuclear bombs on Japan, he said. “It is the first use of a new class of weapons.” Hayden separately called the distributed denial of service attacks on American assets “irritating, but are the cyber equivalent of Occupy Wall Street.”