The Washington PostDemocracy Dies in Darkness

Former NSA chief: NSA and U.S. Cyber Command are now ‘indistinguishable’

( Jeffrey MacMillan )

The public's trust in government has been battered by repeated abuses of power, but it's not the NSA's fault.

That's one of several conclusions to emerge from an interview with Gen. Michael Hayden this week. During a chat before the screening of a forthcoming National Geographic special on cybersecurity, the former head of the NSA and CIA said that he's concerned about government overreach by the IRS and the Justice Department. But, he said, the mounting scrutiny simply makes it harder for the NSA to explain why its surveillance activity is above board. Hayden also believes the NSA and U.S. Cyber Command's functions to be so similar as to overlap completely; eventually, it will no longer be feasible to appoint one person to manage both agencies at the same time.

What follows is a lightly edited transcript of our conversation.

Brian Fung: Edward Snowden recently denied giving the Chinese or the Russian governments access to the data he gave to journalists in Hong Kong. What do you make of that?

Michael Hayden: I would simply say I would lose all respect for the Chinese security service if they let such an opportunity pass them by.

How do you think the Chinese would be able to get a hold of that information if Snowden had it on his person?

He was in China. The Chinese security services are, number one, professionally good. And number two, far less limited in what they do compared to Western security services and are almost ubiquitous inside the Chinese state. I don't have any insider knowledge ‚ I don't run the Chinese service. But with such an opportunity, I just can't imagine they would not have done everything they could have to gain what they could gain while he was there. He commented that no, this is impossible. He's studied the Chinese service, he knows how they work and so on. It's just another indication that this young man might have a bit of an inflated view of his own self and his own abilities.

We just got through a 16-day government shutdown. I'd like to know what you think about the shutdown's impact on cybersecurity.

First of all, just in terms of broad intelligence impact, I was quite stunned that between 60 and 70 percent of the civilians who work in our national agencies at the beginning of the government closure — they were all furloughed. Some were brought back before they were all brought back, but 70 percent — that's a really big number. Most of the intelligence professionals here at the national level are indeed civilians. So that was a bit risky.

In terms of the broad cyber effort — as concerned as I am about the government shutdown, I'm more concerned about the byproducts of the Snowden revelations. Because what you've got out there now is a tremendous distrust which I think is misplaced. You know, I'm an American too, and I also share in our distrust of government and our need to limit government's authorities.

But with the Snowden revelations, frankly, quite a bit sensationalized — it's clear to me that there's a very low probability we're going to get any cyber legislation out of this Congress. We need cyber legislation. We need to think through how it is we want to defend ourselves. The way I put it is, "what is it we want our government to do in the cyber domain" and "what is it we'll let our government do." And I'm afraid this whole kerfuffle since June has just poisoned that water.

But even before the Snowden revelations took place, the prognosis for cyber legislation was not that good.

No, they weren't good! Now it's a negative number! But you did have a bill on information sharing. I got it — the Senate may not have taken it up. I got it — the president threatened to veto it. But I also have it that it passed the House of Representatives with bipartisan support. So maybe there was a chance. But not now.

Going back to Americans' trust in government — it's at its lowest it's ever been in recent memory.

There are actually some good reasons for that.

Can you elaborate on that?

I'm concerned about what the IRS may or may not have done. I need to have clarity on that. I'm a little concerned about the broad-reaching subpoenas for the Associated Press. I'm a little concerned about James Rosen being named a co-conspirator. I'm a little concerned about the president believing he can decide that Congress is out of session to make recess appointments when Congress believes it is in session. There's this whole tenor of fear of government overreach. It's created almost a perfect storm. You add the Snowden revelations onto that, and now people like me who actually are reasonably comfortable with what NSA is doing, we find we're running uphill in trying to explain that to our countrymen and making them feel comfortable about it.

Privacy advocates say the government is asking Americans to trust it when it comes to the NSA's activities. Given the existing level of mistrust of the government, what is the argument for trusting the NSA?

One argument is, you may or may not think what NSA was doing in terms of the metadata and the American telephone records or the PRISM program or the e-mails — foreign based, but collected here in the United States — you may actually think, "You know, I need to know more about that. I'm not comfortable." But you can't say it was illegal. It reflects two laws of Congress in 2006 and 2008, passed by both houses, by both parties, overseen by the intelligence committees, approved by the courts. I mean, in the American system of separation of powers, that's a trifecta — executive, legislative, judicial branches. So it's not illegal.

But i'm quite open to a national conversation about, "Got it. Not illegal, now is it wise?" To have that conversation, my old community is going to simply have to explain what it is they're doing more than we have historically done. I actually think that if we get to most people out of the mainstream — all right, here's what we're doing, here's why we're doing it, here's why it helps, here's how we're overseeing it — I think most people would say, "Eh, I wish maybe you didn't have to, but okay. I'm okay for now. Call me in a couple of years."

Can you comment on the proposal by Sen. Ron Wyden to end the bulk metadata collection?

I think it would be a mistake. Sen. Wyden and Sen. [Tom] Udall opposed the bulk metadata collection in committee. The intel committee in the Senate. In the Senate. Which is controlled by the Democratic party. And they lost every vote in committee, 13-2. So I think even the committee felt the bulk metadata collection program was appropriate, lawful and effective.

What Sen. [Dianne] Feinstein and Sen. [Saxby] Chambliss — and on the House side, Reps. [Mike] Rogers and [Dutch] Ruppersberger — said was, so we oughta do this. We should continue doing it; if we don't do it, we'll be less safe and that's unwise. What can I do to make you more comfortable? And so they're both pushing for maybe a little more oversight, a little transparency -- sure. That's fine.

NSA director Keith Alexander has indicated his intent to leave office, which has raised the question, "Should the NSA and Cyber Command be headed by two separate people instead of one person. What is your view on that?

My view is, if in this next term, one individual is selected to be both, it'll probably be the last time that happens. And it's not because of Snowden or anything else. It's simply the reality that — I was the director of NSA. And I found it filled up my entire workday. So i don't know how someone acts as the director of NSA and the director of Cyber Command. Look, I was the commander of Cyber Command's ancestor — Joint Functional Component Command for Network Warfare -- but that was a relatively light duty. I could really focus on being the director of NSA. And now what you've got — and clearly there's logic in combining the two. I simply think, as a practical matter, we're going to get to the point — and it's not now, it's the next time — when the two should be separated.

Given that a lot of their functions — not overlap, but —

Nah, actually they're indistinguishable. That's how badly they overlap.

Is it even possible to disentangle the two?

It would be very hard. But at the end of the day, Cyber Command operates under one section of U.S. law — Title 10 — and the NSA operates under another section of the law, Title 50. Look, I understand why they were together. I did it. I was the commander of Title 10 authorities. Absolutely essential. But as those Title 10 authorities mature, become more robust, demand even more time — despite the facile logic that, "Jeez, it's an awful lot like what NSA does!" — again, to go back to the word I used, as a practical matter I think it becomes too hard to keep them both together in one person, and you've gotta separate them. Now, would I keep Cyber Command at Fort Meade? Absolutely. Would I integrate the two to the best I can while respecting U.S. law? Absolutely.