Former CIA Director Says The Private Sector, Not the Government, Will Protect Us From Cyberthreats

The private sector will serve as America's first line of defense against cyberattacks and must focus more on threat intelligence and post-attack remediation, according to former CIA director Michael Hayden.

Hayden said he had assumed that the digital world would replicate the physical world, with the government taking the lead in protecting the nation from cybercrime. But he told the more than 2,000 attendees of Ingram Micro ONE that he's now convinced that the private sector is better equipped to address cybersecurity threats.

"In terms of the day-to-day, somewhat serious attacks, the government is not protecting you," Hayden said Tuesday at the Aria Resort & Casino in Las Vegas. "You're going to the private sector for the tools, products and services that you need to keep yourself safe."

[RELATED: CRN Exclusive: Ingram Micro Adds Aruba Wireless Equipment Sales and Tech Training For HPE Partners]

Sponsored post

Hayden said the United States has not decided what it wants or will allow the government to do to keep citizens safe online. Because of that, the government will permanently be late in addressing cybersecurity needs, said Hayden, who served as CIA director from 2006 to 2009 and National Security Agency (NSA) director from 1999 to 2005.

Conversely, Hayden said the private sector is "with it" and understands cybersecurity threats. He praised American industry for no longer thinking about an as a drag on its bottom line and, instead, seeing it as integral to the creation of top-line growth.

"There is an incredible amount of entrepreneurial and technology energy in the private sector to make you and me safer in the cyber domain," Hayden said. "The private sector in this domain is the prime mover."

The private sector has historically been focused on reducing vulnerability to cyberattacks, Hayden said, with companies such as Symantec and McAfee founded to defend the perimeter and not let cyberattackers get into the network.

But even the most perfectly-executed firewalls, patches and passwords can only keep 80 percent of hackers out of the network, Hayden said. That's why Hayden said most of the current entrepreneurial and technological energy is focused on managing the consequences of a successful breach.

"They're getting in – don't whine, get over it," Hayden said. "Survive while being penetrated. Wrap your more precious data more tightly than your less precious data."

Hayden said the backbone of consequence management are powerful algorithms that watch an end user's network, learn normal traffic patterns, and can, therefore, spot and alert key figures to network abnormalities. Effective consequence management maximizes and extends the time between penetration of a network and the discovery of sensitive data, Hayden said.

The future of cyberdefense, though, is probably about threat intelligence. Hayden said firms such as iSight Partners – which was acquired by FireEye in January, and counts the U.S. government as its biggest customer – provide this intelligence through web crawling, port scanning and assuming personas in chatrooms to better inform clients about what specifically attackers might be most interested in.

Another thriving security-related industry is cyberinsurance, which Hayden said is about sharing harm. Hayden credits the emerging industry for promoting better behavior among consumers.

"Insurance companies, and how they set rates, actually might be more effective in creating a higher level of cybersecurity in this country than anything the government could do," Hayden said.

The fact that cybersecurity will continue to be led by the private sector, rather than the government, was heartening to Eric Nilson, data center manager of Chicago-based SingleHop, No. 374 on the CRN Solution Provider 500.

"It's a wide open market, and that represents a lot of room for growth," said Nilson, an Ingram Micro partner. SingleHop has been engaged in changing client's thinking from focusing on attack prevention to focusing on proactive remediation strategies, Nilson said.

Hayden's discussion about how it's impossible to build a wall around a client's data since it will inevitably be breached resonated with Brett Butler, president and CEO of Culver City, Calif.-based Excel Office Services.

"We could shut down our entire business and just go into security," Butler said.