[AFR]
What do you think are the next generation of cyber threats that we will face?
[Gen. Hayden]
Most of the unpleasant cyber events we've experienced to date are most accurately described as “cyber espionage”. The next level, and we are in this right now, is using the cyber domain to destroy someone's information and/or to degrade their network.
We've seen this in several recent cases, including the attacks that destroyed thousands of Saudi Aramco computers, the Iranians' denial of service offensives against American banks, and so on. We are into that level of conflict now.
The Stuxnet virus that disabled some of Iran's nuclear facilities – and I am not commenting on who may or may not have created it – highlights the potential for cyber weapons to inflict physical damage.
We are moving from a world in which most cyber problems are mainly about stealing your data to a world in which cyber is being used to deliberately create direct kinetic consequences: effects on your information, effects on your networks, and other adverse physical effects on a**ets that are valuable to you. As surely as night follows day, these cyber security risks are going to expand over time.
[AFR]
In a world where human activity is becoming increasingly electronically integrated and mediated by copper/wireless/fibre communications, will core telecommunications networks effectively have to become national “public goods” again and heavily constrained by national security considerations?
[Gen. Hayden]
Vital communications infrastructure will inevitably become more constrained by non-market national security issues. I don't think we are going back to the situation at the height of the industrial age when telcos were state-run and/or controlled monopolies largely because they were so complicated at the time – only states could manage them.
We are in a completely different era now. But if you've got a foreign company supplying you with essential communications infrastructure and/or helping build your network, the detailed knowledge that company obtains can be a powerful intelligence tool for foreign security services to leverage off to map out and target your telecommunications network for espionage and other malicious purposes.
I know we are in an era of globalisation – we want our firms to be able to compete globally. But governments also have to bear some accountability and responsibility for their own self-defence.
We definitely need the agility, creativity and innovativeness of the private sector to do modern telecommunications properly. I get that. The last thing you want is the American phone system being run by the Internal Revenue Service. You need the private sector to do communications well.
But the state also has a role in putting in place oversight mechanisms to ensure that the private owners of critical infrastructure do not respond just to market forces, and do not ignore “non-market” national security concerns.
[AFR]
Some private companies are becoming more vocal about the need to actively defend themselves against cyber attacks in the absence of state support. Is this something the private sector should do, or is it the exclusive remit of government?
[Gen. Hayden]
Liberal democracies like yours and mine have inherent trouble providing adequate self-defence because of a range of civil liberties that come hand-in-hand with the freedom our societies offer.
The United States is arguably constrained more by this desire to protect civil liberties than many other countries. And so I understand the great temptation for private firms. They feel they have to provide for their own cyber security defence much more than they have to do in our traditional physical world.
So I understand some want to have the ability and the legal authority to be aggressive in defending their business. I get that. And the longer your government and my government are late in providing adequate cyber defences, the stronger the temptation for private companies to do aggressive defence themselves will become. However, I am not yet ready to endorse this as the appropriate response.
The problem is that whereas your government and mine have very clear rules and roles for defending us across land, sea and air, they don't yet in cyber. Firms are far more on their own in the cyber domain than they are in the physical domain. So I can see the pressures building on them to engage in active or offensive cyber defence. But I am not yet convinced they should be doing it. One would hope that over time they can work with government to get more comfort about their cyber security.
[AFR]
Have you ever had any direct exposure to the Chinese telecommunications company, Huawei?
[Gen. Hayden]
Two or three years ago Huawei was trying to establish a pretty significant footprint here in the United States. And they were trying to get people like me – as the former head of NSA and the CIA – to endorse their presence in the US. To serve on their local board, or to have some other kind of commercial relationship with them.
I reviewed Huawei's briefing paper, which said all the right things. One could almost honestly judge that were actually trying to genuinely put my mind at ease.
But God did not make enough briefing slides on Huawei to convince me that having them involved in our critical communications infrastructure was going to be okay. This is not blind prejudice on my part. This was my considered view based on a four-decade career as an intelligence officer.
My conclusion was that, “No, it is simply not acceptable for Huawei to be creating the backbone of the domestic telecommunications network in the United States, period.” And frankly this is where I think the state has a role to play – to ensure we don't make decisions that compromise the foundations of our national security.
[AFR]
Have you come across insidious hardware implants in telecommunications equipment provided by non-US manufacturers before? If so, can you generally describe the implants' capabilities/purpose?
[Gen. Hayden]
It is impossible for me to comment about operational matters. I can give you a more generalised remark. I recognise the danger of implants and backdoors in telecommunications networks. Beyond that, just a foreign firm gaining the intimate knowledge they would get by helping build a telecommunications network is a sufficient “first-principles” national security problem to give you serious pause before you even consider the presence of backdoors.
[AFR]
When intelligence agencies issue strong warnings to government about the national security risks posed by specific companies, do they typically have a clear evidentiary basis when doing so? Do politicians always listen?
[Gen. Hayden]
When you are the intelligence guy in the room, and you say “I advise against this course of action,” I have found in America's system, and I a**ume it is the same in Australia, whether it was David Irvine [Director-General of ASIO], Steve Merchant [Defence's former Deputy Secretary of Intelligence] or Dennis Richardson [Secretary of Defence and former head of ASIO], or any other senior intelligence expert providing the advice, for a minister to say, “Well that's very interesting, but I choose to ignore the intelligence community's warning to me”, that's almost an unnatural act in a political system that is transparent and which has to be responsive to the body politic.
As head of NSA or CIA I would always make sure I knew what I was talking about before I issued such a warning, because I knew that in our system these warning carry tremendous weight in the discussion. Maybe there are differences between what happens in Canberra and what happens in Washington. But in Washington, if the top intel guys take a hard line and say, “No, we believe this action to be unwise”, that's a real strong point in the conversation. That will exert real influence on the decision-maker.
[AFR]
Does Huawei represent an unambiguous national security threat to the US and Australia?
[Gen. Hayden]
Yes, I believe it does.
[AFR]
Do you think hard evidence exists within democratic, English-speaking intelligence networks intelligence network that Huawei has engaged in espionage on behalf of the Chinese state in the past?
[Gen. Hayden]
Yes, I have no reason to question the belief that's the case. That's my professional judgement. But as the former director of the NSA, I cannot comment on specific instances of espionage or any operational matters.
[AFR]
I just want to confirm this is correct. You believe that it is reasonable to a**ume that hard evidence exists that Huawei has engaged in espionage on behalf of the Chinese state?
[Gen. Hayden]
Yes, that's right. And, at a minimum, Huawei would have shared with the Chinese state intimate and extensive knowledge of the foreign telecommunications systems it is involved with. I think that goes without saying. That's one reality.
But frankly, given the overarching national security risks a foreign company helping build your national telecommunications networks creates, the burden of proof is not on us. It is on Huawei. And based upon the House Intelligence Committee's open hearings in America last year, Huawei was well short of providing any comforting testimony that would make me begin to question the intuitive premise that Huawei presents serious national security risks on a first-principles basis. In fact, I don't think Huawei has ever really tried hard to meet this burden of proof test.
Let make some broader points. Number one: I understand the theory of Chinese state capitalism where the government cla**ifies specific private companies as ‘national champions”. Their success is strategically important to the state. It is well known Huawei falls into that camp.
Number two: I understand the Chinese espionage effort against the West. As an intelligence professional, I stand back in awe at the breadth, depth, sophistication and persistence of the Chinese espionage campaign against the West.
The third point is that China does not confine itself to espionage against what you or I would call “state secrets”. They have a much broader definition of legitimate espionage to include intellectual property, commercial trade secrets, and the negotiating positions of private entities. In other words, they don't limit themselves in the way we do in the English-speaking community.
Finally, as highlighted wonderfully in the House Intelligence Committee's open hearings with Huawei officials last year, these guys are not even transparent to themselves. There's no transparency around who appoints the board of directors or controls the ownership of the business. And there's no independent Chinese government oversight committee that could give us continuing confidence that Huawei or ZTE would not do what they promised not to do.
Look, I also understand that this can be tough on business in Australia and the US because we're in essence taking the lowest bidder out of the competition. But, frankly, this isn't very hard for us to do in the security domain: I mean, it's almost reflexive given what we believe.
[AFR]
Have the Snowden leaks compromised the flow of intelligence from the US to its alliance partners?
[Gen. Hayden]
The Snowden leaks have the potential, if not already the reality, to be the most single most destructive leak of American security information in our history. And I make that statement with full knowledge that Aldrich Ames and Robert Hanson led to sources being executed. I understand that. As sad as that is, they revealed very limited, singular sources.
Snowden is attempting to reveal the underlying architecture of the US intelligence gathering network. We've lost cups of water before. We've lost buckets of water. Yet this is a guy who is exposing the very plumbing that pipes the information. He's exposing the methods through which we access information.
Mike Rogers, Chairman of the House Intelligence Committee, has stated that we are already seeing the enemy respond to Snowden's leaks. There is undoubtedly going to be a long-term impact on the American technical intelligence community's ability to collect information.
How does this affect our partners? We have already made it clear that we are quite generous in how we share our intelligence with other nations. If there is less intelligence being gathered there will be less to share, as surely as night follows day. Make no mistake: the Snowden leaks are a really big deal for our national security.
[AFR]
Is Edward Snowden a hero or a traitor?
[Gen. Hayden]
He's certainly not a hero. The word traitor has a very narrowly defined legal meaning that he may not in the end quite meet. I personally think Snowden is a very troubled, narcissistic young man who has done a very, very bad thing.
I don't think Snowden spied for the money, and he probably did not spy for the power. He seems to have revealed this information because of his ideological embrace of transparency as a virtue.
It is a little like the Boston bombers. The issue is at what point does Islamic fundamentalism flip-over and become a genuine national security threat? Likewise, at what point does a cultural tendency towards transparency flip-over to become a deep threat inside your system? They are similar issues.
[AFR]
Why do you think Snowden selected Hong Kong as his initial base?
[Gen. Hayden]
It's very mysterious why Snowden chose Hong Kong. The great puzzle is that he ran up his flag as the protector of American privacy. He then slid into the role of the protector of everyone's privacy. Yet he's taken up residence in China, Russia, and now he is trying to get to Venezuela. None of these nations feature in a list of the world's top internet privacy regimes. It is therefore a remarkable journey he's chosen to undertake.
[AFR]
Will the Snowden leaks increase the probability of national security threats materialising?
[Gen. Hayden]
Of course they will. Look, the intelligence services like the ones I used to head – and DSD, ASIO, and ASIS – they're there to prevent surprises. They're there to inform policymakers so that they don't end up with those nasty binary national security choices too late in the game.
The intelligence infrastructure is designed to allow leaders to shape situations, and mitigate risks, well in advance of crises actually occurring. Insofar as Snowden's leaks have impaired the ability of intelligence agencies to collect information, political leaders in Western democratic states will have commensurately less forewarning and knowledge of crises beginning to build. That can ultimately mean these events blow-up and the Prime Minister or President is forced to deal with two unpleasant choices – accepting an event's damage or taking difficult action in response to it – rather than having the opportunity to thwart it all in advance.
[AFR]
What's the biggest lesson for the US national security community from the Snowden affair? What can they do to prevent these leaks happening again?
[Gen. Hayden]
This is really hard for many reasons. And the bad news is that it will likely happen again. We all recognise the value of sharing sensitive information, making it readily accessible, and not stove-piping it, or sealing it off. The lesson of 9/11 was the importance of sharing information.
And we Americans and Australians need to recruit from Edward Snowden's generation. The problem is that this is a generation of people whose views on secrecy, privacy, transparency, and government accountability are a bit different from the folks supervising them, and certainly different from my generation.
We nonetheless need to recruit from this group because they have the sk**s that ASIO, ASIS, DSD, NSA and CIA require to fulfil their lawful mandates. So the challenge is how to recruit this talent while also protecting ourselves from the very small fraction of that population that has this romantic attachment to absolute transparency at all costs.
One solution I do not favour is turning the American intelligence community into the East German stasi, with everyone reporting on everyone else. That's not who we are, that won't work. Even if you thought that was a good idea – and it is a horrible one – it would not work inside our culture or the Australian one. So that's not the answer.
I do think that there are technological tools out there that give us a higher probability of detecting the “high volume leaker”. We should be able to set up mechanisms that allow us to detect anomalous behaviour inside our own network. This would not be foolproof, but it might help you ask: “Why is this guy on a workstation in Oahu, Hawaii tapping into large volumes of sensitive documents back at NSA, Fort Meade?”
[AFR]
Do you have any issues with the media reporting of the Snowden leaks?
[Gen. Hayden]
Yes, our 24/7 constant news networks have really mangled this so story badly that Americans don't quite understand what it is that their government is or is not doing. When the media gives us a proper opportunity to explain exactly what it is the US intelligence community does for its people, then I think we can make Americans very comfortable.
The second public relations issue has been in other states. You've got a bunch of countries in Europe hyperventilating about America's foreign intelligence operations. But the truth is that all nations conduct espionage. Nobody has claimed that America's Bill of Rights, which protects the individual privacy of our citizens, was a global treaty. No one can claim that these nations aren't doing similar things against America and many others. If some countries do have a legitimate compliant about our espionage activities, it's frankly because we are just better at it than they are.
One explanation for the response in some European countries is that politicians on the continent are often not aware of what their own security services are doing. Their parliamentary oversight committees don't have anything remotely like the access inside the security services that our Congress has.
[AFR]
What is the difference between NSA's meta-data collection activities and the data-retention regimes in place across 27 EU nations to a**ist law enforcement and national security agencies lawfully conduct investigations?
[Gen. Hayden]
All telecommunications and internet service providers in North America and Europe are required to respond to lawful information requests by the sovereign states in which they are located for policing or national security purposes. The French may do this a bit differently than the way we do it, and the Germans may do it a bit differently than the French. But every country has the right to go to their communications providers and collect information subject to the laws of that land.
[AFR]
If the US is able to lawfully compel leading privately owned companies like Microsoft, Google, Facebook and others, which as listed entities on stock exchanges are subject to tough disclosure standards, to facilitate its foreign intelligence gathering efforts, do more authoritarian states, like China and Russia, have a greater ability to coerce their own private companies to do the same?
[Gen. Hayden]
Of course they do. American firms were responding to narrowly crafted court orders to provide information to the American government for very specific and targeted national security reasons. In more closed and controlling countries like China they have created entire non-government systems, or complexes, of universities, institutions and other entities like “cyber militias” that actively conduct espionage on behalf of the state. Have a read of the public Lockheed Martin report that documents this.
[AFR]
How is PRISM different to the standard foreign signals intelligence collection carried out by most countries?
[Gen. Hayden]
It is not. It is simply a reflection of an anomaly in America's FISA Act that treated all communications routed via the United States as if they were between our citizens and therefore of the United States. But with modern telecommunications there are now communications between foreign nationals that happen to be on a server sitting in Washington state. And so the FISA Act was amended in 2008 to allow the NSA under court supervision to treat these exchanges as the foreign communications they truly are.
[AFR]
You say there is a key difference between the espionage practices of the US and its allies and China's spying. What is it?
[Gen. Hayden]
Listen, I fully admit: we steal other country's secrets. And frankly we're quite good at it. But the reason we steal these secrets is to keep our citizens free, and to keep them safe. We don't steal secrets to make our citizens rich. Yet this is exactly what the Chinese do.
I believe the Chinese today are engaging in unrestricted espionage against the West that is comparable to the unrestricted submarine warfare waged by Imperial Germany in 1916. The intensity of Chinese espionage is certainly greater than that what we saw between the US and the Soviets during the Cold War.
The problem is China's view is that industrial espionage by the state against relatively vulnerable private enterprise is a commonly accepted state practice. This is just unacceptable.
Industrial espionage by the Chinese has probably now become the core issue in the Sino-American relationship. It is not an irritant. It is not a peripheral issue. Believe me, I work closely with America's congress and government, and this is now the dominant issue between the two countries, and runs the risk of undermining the entire relationship.
[AFR]
What do you think about the rise of Chinese power, how should we respond to it, and what does it mean for American (and Australian) diplomacy?
[Gen. Hayden]
I get asked all the time whether the growth of China's power is good or bad. I am an intelligence officer – and the way I put it is that Chinese power just “is”. It's an artefact of China's trajectory to date.
What the growth of Chinese power really necessitates is a prudent response from countries like ourselves and Australia. Not because we view the Chinese as inherently aggressive or because we think war with China is inherently inevitable. We simply need to balance the growth of Chinese power in the region and take the necessary precautions to make it much more difficult, or highly unlikely, for China to make a dumb decision in 3, 5, 10 or 15 years.
In 2009, 2010, and into 2011 we had an awful lot of Chinese triumphalism. This was not China as an emergent state – as most of the world perceives them – it was the restoration of China. And I think the Chinese made mistakes in cutting against their own self-interest with this approach. You know, suddenly defining their claims to the South China Sea as “core national interests” was very counter-productive.
And the Chinese style made it easy for American diplomacy to effectively engage in the region. We are now doing joint exercises with the Philippines, we have two littoral combat ships berthed in Singapore, we've got Marines in Darwin, and now the Vietnamese are saying, “Hey you guys used Cam Ranh Bay all that time, why can't you use it again?” You've got everyone out there now welcoming an American return.
And I think the Chinese have now recognised that. Certainly, in 2012 and so far in 2013, they've changed their style a little bit. Because the previous approach was triggering a response from countries in the region that actually made is much easier for America to conduct this “pivot” back towards them. My hope is that the Chinese understand this.
[AFR]
Will China become the next super-power?
[Gen. Hayden]
I would also offer to you this. I am very confident China is not a juggernaut. Sure, this is a state that has had remarkable growth. And that's a good thing. It really is. But they've got so many embedded fundamental flaws: whether it's demographics, inequality, the legitimacy of the Chinese Communist Party, or environmental challenges.
My expectation is that this will be an inward facing society because of these problems for a long time to come. But my fear is that the Chinese Communist Party, whose legitimacy has not been based on ideology for a decade or three, but on 10 per cent real GDP growth each year, my fear is that as that noses over, the Party will not be able to default to legitimacy of “Confucian merit”. We all know from the Chinese blogosphere about the deep problems the Party has with its moral merit in the community. So my fear is that the Party seeks legitimacy in that last refuge of self-preservation: nationalism.
Having said that, I think the probability of major power conflict is less than it was during the Cold War. The economic and social integration of the Chinese and West's economies is much higher than it was between the Soviets and the United States during the Cold War. That augurs well for us having a chance of controlling this competition.
And, as I have said elsewhere, I don't think China is an enemy of the United States. There is no good reason for China to be an enemy. There are logical, non-heroic policy choices available to the leaders of both nations that will allow the relationship to remain competitive, if occasionally confrontational. But it never has to get to actual conflict.
[AFR]
Some Australian experts/commentators publicly argue that we should “free-ride” off the US alliance, and the extended nuclear deterrence it affords. To this school of thought, we can continue to spend less than half what the US does as a share of GDP on defence. Do you have any comments on this argument?
[Gen. Hayden]
Let me make clear first that this is not a North American who is complaining. The Australians have been generous and show up in a lot of places like Afghanistan. But I think it would be foolhardy for other countries to rely on some abstract American nuclear umbrella to ensure stability in the Pacific and in the coming competition in the Indian Ocean.
In addition, we cannot do it alone to the extent we did in the Cold War. America's current policy is focused on the demands of balancing the growth of Chinese power in concert with our regional friends – not in isolation.
This is not something the United States would be able or willing to do on its own in the way we may have been willing or able to constrain Soviet power in the 1950s or the first half of the 1960s. The bottom line is that we want to collectively make it difficult, if not impossible, for the Chinese to make a stupid decision in the years ahead that really harms our way of life.
[AFR]
Is leasing Virginia-cla** nuclear-powered but conventionally-armed submarines off America a viable strategic option for Australia to consider?
[Gen. Hayden]
Yes, I think that sounds like a reasonable option although I claim little expertise on the matter. I would really underscore the importance of undersea combat in this context of the strategic goal of balancing Chinese power. We've got the best minds in the American air force and navy talking about air-sea battle. And the critical conflict in any area denial campaign could very likely take place in what is known as subsurface warfare. This is, therefore, a very important capability, and one that Australia could make a vital contribution to. Correct me if I am wrong, but my recollection is that Australia's defence white paper in 2009 stated quite clearly that undersea warfare was going to be a critical element in the strategic relationship with China?