The United States keeps too many hacks secret, says the former director of the U.S. National Security Agency.
In an interview with reporters this week, retired General Michael Hayden explained why he thinks companies and the government are ill-prepared to deal with cyberattacks: They both refuse to acknowledge hacks when they happen.
“The government hideously over-classifies it,” Hayden said. “And the private sector, for fiduciary reasons, is reluctant to share it.”
In November, a CNNMoney investigation detailed how Corporate America keeps huge hacks secret. Power plants, dams and other parts of America’s backbone hide hundreds of successful hacks from the public each year — and a little-known federal policy keeps it all under wraps.
This secrecy even limits the nation’s defenders, because instructors have less material to teach the cybersecurity teams that defend America’s energy, water and gas lines.
On Tuesday, Hayden told CNNMoney the reluctance to share information between companies and the government prevents America from figuring out how to deal with foreign spies and potentially destructive cyberattacks.
“We lack cyber policy,” he said. “We don’t have shared information on which to begin to base that adult conversation.”
President Barack Obama recently signed into law information-sharing measure for businesses and government investigators to voluntarily share details about cyberattacks. But the most significant attacks — the ones on the nation’s infrastructure — remain protected with a veil of secrecy from the American public.
Another particularly frustrating aspect of this widespread concealment of information is the nation’s reluctance to formally accuse the actual attackers, Hayden said.
For example, hackers stole 21.5 million sensitive federal personnel records last year from the Office of Personnel Management — perhaps America’s biggest cyberespionage blunder to date.
The Obama administration has yet to blame China’s government. Meanwhile, Director of National Intelligence James Clapper has vaguely jabbed at China when speaking about the hack, once sarcastically congratulating the spies who pulled it off by saying, “You’ve got to salute the Chinese for what they did.”
Hayden, who is no longer a state official, was more direct.
“Who did OPM? China. Our government refuses to say it,” he said.
In many other cases, federal investigators will refuse to name the suspected government behind a hack — in public. But law enforcement agencies will whisper suspicions to reporters on condition of anonymity.
The result? News stories frequently attribute hacks with no actual proof. The massive JPMorgan bank hack in 2014 was initially blamed on Russian hackers with connections to the government there, but investigators eventually arrested Israelis supposedly engaged in $100 million fraud scheme.
The hacking world is shadowy enough already. Hackers are notoriously difficult to catch, attackers bounce around signals to hide their location, and computers are wiped to destroy forensic evidence. Keeping cyberattack details secret only conceals it all even further.
“I can’t explain it,” Hayden said. “Yeah, it bothers me.”
Hayden thinks details about hacks tend to remain in the dark, because cyber operations — hacking into networks, stealing information, remotely destroying computers — have been viewed traditionally as a military domain.
“We have inherited this cult of secrecy with regard to all things cyber because of its bloodline,” Hayden said.