“We’ve got capability on the sidelines wanting policy guidance,” he told the House Intelligence Committee, referring to the NSA. “And when we can enrich that guidance and get them in the field, the better — the safer — we are.”
Hayden’s remarks echoed what Director of National Intelligence Admiral Dennis Blair told the same committee in 2009 when he said that the NSA, rather than the Department of Homeland Security, which currently oversees cybersecurity issues on government networks and liaisons with the public sector about securing critical infrastructure networks, was the only agency with the skills needed to secure cyberspace.
“The National Security Agency has the greatest repository of cyber talent,” Blair said. “[T]here are some wizards out there at Fort Meade who can do stuff.”
The NSA’s role in the Bush Administration’s secret and warrantless domestic spying program, however, has raised concerns among civil libertarians that the agency couldn’t be trusted to monitor networks without violating the privacy of citizens.
Hayden acknowledged to lawmakers that there was “a natural political cultural allergy to letting NSA” monitor private networks, but he said there were ways the spy agency could do so without reading the content of communications or otherwise intruding on the civil liberties of private citizens.
“We want NSA to protect us, but we don’t want NSA out there being present where our own communications are flowing,” he said. “And we’re just going to have to have a serious chat [about that]. I think we can do that — both the technology and the ethic at NSA would allow us to do that. But it will require some convincing before the agency is given that authority.”
Hayden also said there were still some people who didn’t have a proper appreciation of the threat the U.S. was facing from foreign attackers. Speaking about recent spates of attacks on U.S. companies and government agencies that appeared to come from China, Hayden said that “as a professional intelligence officer, I step back in awe at the breadth, depth, sophistication and persistence of the Chinese espionage effort against the United States of America.”
Also appearing before the committee on Tuesday was Art Coviello, executive chairman of RSA Security, which was targeted in a serious attack earlier this year that forced the company to re-issue security tokens to customers after intruders compromised a system used to generate secret codes for RSA SecurID tokens.
Coviello told lawmakers the attack on RSA’s network “could not have been perpetrated by anyone other than a nation state.” He also supported Hayden’s assertion that the NSA should be more involved in protecting U.S. systems.
“We ought to be able to figure out a way for the NSA, which has so much expertise, to work their way in an ethical way to protect us,” he said. “To me it’s a tragedy that we can’t get them more heavily involved working with Homeland Security to a point where they can be more effective protecting American organizations.”
Kevin Mandia, CEO of Mandiant, also spoke at the hearing. Mandia, whose company has investigated numerous headline-making breaches since its founding in 2004, said that in more than 90 percent of the intrusion cases his company has investigated, the victims didn’t know they had been breached until a government agency told them them so.
“In our last 50 incidents, 48 of the victim companies learned they were breached from the Federal Bureau of Investigation, the Department of Defense or some other third party,” Mandia said.
“With virtually every other crime, the victim is the first to know that they have been violated,” Mandia said in a prepared statement. “Here, however, we have the government in the unique position of informing victims that they are, in fact, victims.”
He told Threat Level that as the FBI and law-enforcement divisions of the DoD are called in by victims to investigate known breaches, they often uncover additional victims in the course of gathering forensic evidence and are the first to then notify those entities that they’ve been breached.
Mandia and the other witnesses testified that to better protect networks, there needs to be better sharing of information between the government and private companies to help everyone understand the current threats they’re facing and how to protect against them. To encourage companies to share information about breaches they’ve experienced, the witnesses urged the government to look at providing limited immunity from liability so that companies don’t have to be afraid that customers and others will use the shared information to punish them.
Mandia was also in favor of a safe-harbor program that would separate information-sharing about breaches from the kind of information disclosure that is required under the data breach disclosure laws that exist in most states. Companies would still be required to disclose a breach if it involved personally identifiable information — as the breach laws require — but they would also be able to disclose additional details about the breach to the government in a way that wouldn’t expose their identity.
Currently companies provide only limited details about breaches, because they don’t want to face ridicule or additional liability if the details disclose a failure on the company’s part to adequately secure its network. Mandia says this works against the greater good by holding back information that could help other companies learn from mistakes and protect their own networks.
“The public shaming and the stigma that goes along with it isn’t helping,” he told Threat Level. “No one’s getting smarter from [information disclosed from] the Sony breach.”