Former National Security Chiefs Talk Cloud Security, AI, And The Importance Of Protecting Privacy
Three of the world's most-respected national intelligence experts applied the lessons of their distinguished careers leading intelligence agencies Wednesday to IT professionals trying to secure cloud workloads and embrace artificial intelligence.
General Michael Hayden, former director of the CIA and NSA; Jeh Johnson, former Secretary of Homeland Security; and Sir John Scarlett, former chief of the British Secret Intelligence Service; took the stage at Oracle OpenWorld to assess the modern cyber-threat landscape and share insights relevant to Oracle's partner and customer community.
While their careers all predate the threats of the modern era, the three intelligence chiefs were some of the first to have to wrap their heads around the emerging challenges posed by hackers, and the difficult policy questions they raised.
In 2012, Johnson attended a speech given by Leon Panetta in which the Secretary of Defense predicted "a cyber 9/11."
"That's a rather provocative term," Johnson, President Barack Obama's Homeland Security chief, told OpenWorld attendees.
But Panetta's fears were soon, in a way, realized.
"Some would argue what happened to our democracy in 2016 was a cyber 9/11. We still don’t know the full extent the Russian government engaged in re-publication of extremist views, fake news, that had an impact,” Johnson said.
In office, Johnson was deeply concerned about Russians scanning and probing voter databases. And there was a rising level of awareness of efforts from Russian platforms to hack the Democratic National Committee.
It appears that those same intrusions are happening again for the upcoming midterms, he said. Complicating the matter, a cyberattack can be very subtle, taking years to assess its impact.
"Access to the Internet, in an open, free society, is our greatest strength, but also a vulnerability," Johnson said. "We have to think of cyberspace as a battlespace now."
In that realm, it's easier to be on offense than defense, he said, adding public-private partnerships are important to doing a better job defending national security resources.
Scarlett, who once ran Britain's clandestine intelligence service, told the crowd that technological innovation is "a great leveler"—and often not in a positive way.
"The poorest country in the world can pose big problems for the biggest and richest country in the world," he said.
The 2014 North Korean hack against Sony illustrated Scarlett's point, said Hayden, who added, while he didn't like President Obama's description of that event as "cyber-vandalism,” he still doesn't know a better term to describe it.
Oracle Chief Corporate Architect Edward Screven elaborated on the technical challenges of keeping data safe from hackers.
When he first joined the Redwood Shores, Calif.-based technology giant, the attacks were "pretty amateurish," Screven said. "People in their mothers' basements hacking away"—scanning ports, sending easy to detect phishing emails.
That's changed in recent years to well-funded criminal organizations and state-sponsored attacks with financial or political motivations. And in their attempt to harm nations, those actors often target companies they see as important.
"As that threat has gotten tougher to deal with, we had to build new technologies and figure out ways to respond that aren't manual, that don't have long think times," Screven told the national security pros. "That's fundamentally what's changed."
Oracle co-CEO Mark Hurd, moderating the discussion, told the panel that Oracle's founder, Larry Ellison, stood on the same stage two days earlier and indicated that almost every major tech company has been attacked with some level of success.
That led Oracle to build what it believes is an "impenetrable" cloud, Hurd said.
The three national security leaders said while in office, the cloud was something they had to quickly develop an understanding of.
At the turn of the century, Hayden's people at the NSA came to him and started talking about the cloud—a technology they told him was being adopted around the world.
When told people were congregating data "all in one place,” Hayden admitted, as director of the NSA, he had a Monty Burns moment, referencing The Simpsons character. Hayden rubbed his hands together and said, "excellent."
"As it played out, if people made security one of the discriminating aspects of how they went to the cloud, and not just scale and convenience and cost and latency, if they made security one of their discriminators, invariably they ended up with better security than they would get in their own basement or in their server farm," Hayden said.
The new technology and methodology, he realized, would be a security benefit, "as long as people didn't make dumb decisions as how they went to the cloud."
Scarlett said the value of the cloud depends on the priority organizations place on security when making cloud adoption decisions.
"Is it really at the top of their list?" the British spy leader asked. "I suspect very often it's not."
Screvin said cloud gives defenders a fundamental advantage—the difference between attacking lots of small bunkers, each responsible for their own security, to a smaller number of strongholds easier to deploy shared defenses for.
Hurd told his guests cybersecurity is more difficult than it seems—IT has evolved as an open environment comprised of technologies and products from many vendors. That creates "lots of different pathways" into modern environments.
As to machine learning and artificial intelligence, Hurd said, those technologies "are going to accelerate knowledge processes at an extreme level that frankly we've never seen before in our lifetimes."
It's all a "great unknown," Hayden said of the emerging intelligent technologies. The "effect on the battlespace is very often unpredictable."
Screven said "it seems very clear" that AI is more effective for defense than offense. Leveraging machine learning and AI helps identify attacks far faster than humans can do on their own.
"If artificial intelligence makes the response quicker, because the defense is disadvantaged in that, that's obviously a good thing," Hayden said in response to that comment.
But Johnson warned, "we have to be aware of the shortcomings of AI."
Scarlett said a lesson from his intelligence days that translates to the current context: "Be completely clear about what you really need to protect. And make sure you've got that absolutely covered."
At the end of the day, you're not able to protect everything. But if you really understand what is vital to security priorities, most everything else will fall into place, Scarlett said.
The larger discussion on cybersecurity doesn't have answers as obvious "as we think they are," Hayden said. "Those of us involved in this ought to occasionally examine our conscience."
As an example, Hayden shared an epiphany he had when he just started as director of the NSA—the agency responsible for cyber espionage.
A crisis emerged around whether the government should allow private companies to export supercomputers. In a meeting of senior Clinton administration officials chaired by Chief of Staff John Podesta, Hayden and his colleagues were the stumbling block to allowing sales to other countries.
"NSA views computing power as combat power, and we weren't in the business of spreading that around the world," Hayden said.
But after supercomputer maker Cray protested, he changed his philosophy, realizing it wasn't just about denying computing power, but also preserving the strength of the American computer industry.
That informed his thinking on the government's conflict with Apple after the San Bernardino terror attacks that pitted Apple CEO Tim Cook against FBI Director James Comey.
Hayden said he, and two other former NSA directors, surprised many by siding with Apple in its fight to resist the FBI's efforts to compel the company to unlock the terrorist's iPhone.
That standpoint was "not on privacy grounds, nor on commercial grounds. But on a broader definition of security."
The cost of "conceding exceptional access" to an important American technology company outweighed the benefits of accessing the data, "all within the confines of thinking about security," Hayden told OpenWorld attendees.
Such questions are difficult, because everyone is in uncharted territory. Security officials shouldn't be reflexive in their thinking, the three agreed.
We need to encourage "discussions among free people trying to balance things, both of which they would like to have in full measure, privacy and security … and freedom and liberty," Hayden said.
"There's no simple answer," Scarlett added. "It's very important we don’t adopt simple positions."
National defense leaders need to recognize that preserving security is a component of protecting privacy, he said.
"It's very subtle, and just be aware of that," Scarlett told attendees. "Somehow we just have to find our way forward."