Former spy chief says U.S. lacks cyber framework

As the Trump administration's transition team continues to announce its selections for key national security positions, one former intelligence chief said the U.S. still lacks a coherent cybersecurity framework and the Trump team lacks a clear expert on the subject.

The Trump team is moving behind the scenes on cybersecurity recruitment. FCW has learned that Karen Evans, National Director of the U.S. Cyber Challenge, is working with the Trump transition team on cybersecurity issues. Evans was administrator of E-Government and Information Technology at the Office of Management and Budget (a job now dubbed "federal CIO") under President George W. Bush. 

Speaking at the Foundation for Defense of Democracies, retired Gen. Michael Hayden said the most powerful limiting factor in the cyber domain today is not technology but U.S. law and policy.

"What is it we want, and more importantly, what is it we will allow our government to do [in cyber]" are questions that the government has yet to answer, said Hayden, who has served as director of the National Security Agency and the CIA.

He said even the categories of offense, defense and espionage are still not clearly defined to the point that policymakers can agree on what authorities should be granted and at what level.

During a recent dinner with other cybersecurity thought leaders, Hayden said the discussion about what cyber is "resembled a bunch of Jesuits and a bunch of Dominicans trying to decide on the ample description of the Trinity."

That makes the challenge of coming up with international cyber norms all the more daunting, he added. Until the U.S. can settle on what it views as acceptable cyber behavior -- hacking a foreign political party is acceptable espionage, but hosting an aggressive botnet is not, for example -- then reaching agreement with other countries in areas such as privacy will be difficult.

Hayden had words of advice and caution for the incoming Trump administration. He said cyber was unfamiliar terrain for President-elect Donald Trump, and Hayden could not identify an expert on his team.

However, he said he was heartened by the choice of Rep. Mike Pompeo (R-Kan.) for CIA director and described him as a "serious man who takes these questions seriously and studies these questions."

Hayden was more cautious in his reaction to the selection of retired Lt. Gen. Michael Flynn as national security adviser. Although Hayden praised Flynn's history of tactical success as an intelligence officer, he said the national security adviser job could be a stretch for Flynn. "This job is going to extend him," Hayden said. "It's going to demand that he up his game to be more broadly strategic than just tactical."

Like Trump, Flynn has been friendlier toward Russia and President Vladimir Putin than the rest of the Republican establishment, and Hayden expressed concern about Trump's views of Russia.

In particular, Hayden said it was off-putting that Trump has dismissed the assessments of the intelligence community regarding Russia's hacking of Democratic National Committee servers.

Although Hayden has argued that Russia's hacking of DNC email was "honorable espionage" of the sort that the U.S. routinely engages in, Russia's "weaponizing" of the stolen information violates accepted norms. Furthermore, it's unacceptable for Trump to disregard the intelligence community's findings because they conflict with Trump's larger narrative on Russia.

Hayden said he hopes that the fact-based "inductive guys" in the intelligence community will present a strong case to the incoming administration to help calibrate Trump's policy on Russia.

In addition, Hayden said he differed from the president-elect over the encryption debate. Trump has condemned Apple for refusing to unlock an iPhone used by one of the San Bernardino, Calif., shooters and said he would mandate backdoors for law enforcement.

"There is clearly a legitimate need for law enforcement to get into that phone," Hayden said, "but I have serious doubt as to whether or not it trumps the broader national need for high-end unbreakable encryption."

That argument might not find favor with Pompeo. In a Jan. 2016 Wall Street Journal op-ed, Pompeo observed that, "the use of strong encryption in personal communications may itself be a red flag."

Speaking as the former head of two spy agencies, Hayden said the Trump administration will need to recognize that the encryption debate is difficult and there is no clear answer, but on balance, the U.S. is safer if there is strong encryption.

Hayden also said the incoming administration should take seriously the forthcoming report and recommendations by the President's Commission on Enhancing National Cybersecurity.

"I would really like the incoming administration...to pick up what these guys are saying and incorporate that...and make it part of their thinking," he said.