In 2016, Jeh Johnson was in his third year of service as secretary of homeland security when reports emerged that the systems of the Democratic National Committee had been hacked.

The attackers leaked thousands of emails from key DNC staff members in an operation that the United States Intelligence Community concluded was orchestrated by Vladimir Putin to help swing that year's election to Donald Trump.

oracle openworld spy heads

"By late summer we knew that the Russian government was behind the hacking and as many of you know, on October 7th, there was a big debate about what to do about that," Johnson recalled at Oracle OpenWorld in San Francisco. 

"A number of us felt very strongly that we had to say something to the American public while the campaign was underway and the director of national intelligence and I, on Friday, October 7th, issued a statement making attribution to the Russian government for the hacking. We weren't then in a position to know that the Russian government was behind the scanning and probing of voter registration databases but we were able to conclude that later."

The statement was overshadowed by the leak of the Access Hollywood recording of Trump making lewd remarks about women, but it nonetheless signalled the beginning of a new conflict between two old enemies.

"It was an attack on our democracy and apparently from a variety of sources the same thing is happening again in connection with our midterms," said Johnson. "We have to think of cyber space as a battle space now, much like we would think of a kinetic battle space in traditional terms."

Information warfare 

General Michael Hayden was seven years removed from a spell as director of the Central Intelligence Agency when the emails were leaked. The retired US air force four-star general had also served as director of the National Security Agency and principal deputy director of National Intelligence, but it was his time as Air Intelligence Agency in the mid-1990s that reminded him that the rules had changed.

At the time, the agency was debating whether its business was primarily about cyber defence and attack or the broader category of information warfare. The complexity of the information umbrella and constitutional protections convinced them to stick to the confines of cyber security.

"The Russians went to door number two," he said. "The Russians went to the information dominance bubble. And the apostle for this was the fella who's now chief of the general staff, Valery Gerasimov, who wrote half a dozen years back about modern war being contactless war using informational means against an adversary's target population. Not a bad description of what happened in 2016.

"So one of our great challenges for the people who do security in the United States is to begin to think through a lens that is not our own and to begin to think about this in the way they think about it rather than what we do. Too often when we talk about what the Russians did, we only talk about hardening the infrastructure, and that's looking at it through our lens. That's that cyber stuff. Whereas the Russians...I know that in 2016 their probes against the election infrastructure were not to cause physical change there, it was just to mess with our heads here, to make us less confident in the whole process."

New rules of cyber war

Sir John Scarlett, the former chief of the British Secret Intelligence Service was at a security conference in Aspen, Colorado, when news broke of the DNC hack. His immediate reaction was" why is everybody so surprised?”

"In the pre-cyber age, pre-internet age, attempts to interfere in our election systems were absolutely normal practice from the Soviet side in Europe," he said. "Every European country had that experience, but here in the United States, it seemed to cause great surprise."

The changing code of conduct brought into question whether the private sector has the right to hack back in retaliation. Legally this would likely not be permitted as it would violate various domestic and international laws, but Johnson believes that this could change.

"It's much easier to be on top on offence than it is on defence in this realm and we've got to do a much better job in my view of public-private partnerships in defence of our cyber security and critical infrastructure."

Another question is, under what circumstance a cyber attack constitutes an act of war.

"This is the key problem, that there is no international legal structure or there is no sense of the rules of the game at all and it's very hard to see how in fact they can be developed and agreed on, because even if they are agreed on, then who is going to trust all the various sides to implement them," said Scarlett. 

"The lack of international rules of engagement structure around this area, which we're all saying quite independently is central to the whole reemergence of great power rivalries and tension, is a fundamental issue and I think we have to get our brains into that way of thinking about things differently."

General Hayden recalls that when then-US President Barack Obama accused the North Korean government of hacking Sony Pictures he called the attack an act of "cyber-vandalism".

Hayden was unsettled by the description but struggled to find a better alternative. The attack wasn’t an act of war according to to the Tallinn Manual, a NATO-facilitated guide on international law applies to cyber conflicts, which defines an act of cyberwar that justifies a military response as "a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects." But the field evolves so rapidly and unexpectedly that rules that already appear ambiguous could quickly become outdated. 

"Once you agree upon definitions the responses then become more obvious, but we can’t agree on the basic definitions," said Hayden. 

Johnson believes that mutual agreements on the terms are essential for global cyber peace.

"What we all need to remember is what's good for one nation is good for another and could be used to develop treaty obligations, could be used in self-defence, and so those with the greatest capabilities, it's not necessarily in our in interests to reach for an aggressive interpretation," he said.

"I personally believe that we still do not know the full extent to which the Russian government engaged in the publication and republication of fake news and extremist views that had an impact on public opinion in 2016.

"We know that there was scanning and probing activity around voter registration databases, which I was very concerned about when I was in office, but we also know that though access to the internet in our open free society is our greatest strength, it's also a vulnerability. We also know that the Russian government engaged in pushing out extremist views and fake news but we don't yet know the full extent of that."

Different rules in China 

Russia may be a threat but the country has a smaller GDP than that of New York, Texas or California and has limited global power next to its neighbour China, whose economy expected to surpass that of the US in the near future.

Hayden describes China as a "resurgent power" and Russia as a "revanchist power", but that doesn’t necessarily make President Putin the lesser danger. 

"Actually it might make him for the near term more dangerous because he knows he's got a diminishing capacity that he's got to use," says Hayden.

"The Chinese, on the other hand, are growing in power - and I'm not reflexive on attaching malevolent intent to everything the Chinese do. A whole bunch of what it is that they do are the natural things for nations in their circumstances." 

Navy drills conducted alongside the Thailand and Malaysia in the Strait of Malacca between Indonesia and Singapore were presented by many analysts as a threat, but Hayden argues that they are not only fair but positive in that they're taking responsibility for safety in their waters and protecting them from piracy.

China is nonetheless asserting its power with ever greater confidence and the anxiety in the US is growing as the balance of cyber power shifts.

"The pass/fail question of American diplomacy for the 21st century is the Sino-American relationship," he says. "Get it right, there's other stuff to work out. Get it wrong, this other stuff's not going to matter." 

Changing threats

Jeh Johnson believes that the intelligence community has become better at detecting threats from abroad, but the internal dangers have grown.

"The challenge is home-grown self-radicalised actors who radicalise in secret and are inspired by things they see and read on the internet," he said.

"It makes for a much more challenging environment, less predictable. It's harder to assess risk in that environment. 

"The cornerstone of our mission has to be counter-terrorism but the other cornerstone has to be cyber security. The cyber security threat is going to get worse before it gets better in my judgement. Those on offence, whether they're nation states or criminals or hacktivists or those who are engaged in ransomware, are increasingly aggressive and tenacious and ingenious and frankly, those of us on defence in government and in the private sector have to struggle to keep up and I think we've yet to turn that corner.

"That became a big big part of my mission in my three years in office. We made some strides and some improvement, but there's a lot more to do, particularly in a private-public partnership."

Hayden remembers the Cuban Missile Crisis and was at Checkpoint Charlie during the Cold War, and feels that the world is a safer place today but it has grown more complex.

"The world has actually been more dangerous in my lifetime than the current one," he said. "It has never been more complicated," he said.

Just listing all the players in the war in Syria is almost impossible, while ubiquitous interconnectivity makes every act in a conflict more immediate and universal.

"Although we've been safer I think the complexity and the immediacy of the world in which we are now living actually makes it seem even less safe and stable than it might really be."

Scarlett notes that great power tensions are returning while technology is levelling the playing field. 

"Arguably the poorest country in the world can pose serious threats and problems for the biggest and richest country in the world because technology is a great leveller," he said.

The dangers for the west are exacerbated by their governments' struggles to attract and especially to retain cyber security talent as the pay in the private sector - and financial services in particular - is far higher. 

Machine learning and artificial intelligence could further the cyber threats, but also strengthen defences.

It could make it quicker to recognise and respond to a threat but it could also offer new methods of attack. The technologies are rapidly developing and the results are hard to predict.

"It's very rapid change and we just don’t know exactly how it's going to develop, so the key philosophical point is somewhere be completely clear about what it is you really need to protect and make sure that you’ve got that covered and that's my entire professional experience," says Scarlett. 

"At the end of the day, you’re not able to protect everything…The central point is just be clear in your mind what you really need to keep protected and secret and if you get that right you'll probably be able to manage everything else." 

Balancing priorities

Cyber security policies need to find a subtle balance between protecting security and liberty.

When Hayden was new in his role of NSA director, the export of supercomputers was a growing political issue. Supercomputer manufacturer Cray was complaining about export controls on its products. Hayden met with key members of the Clinton administration in the White House to discuss the matter.

Among them was then-chief of staff John Podesta, who 15 years later would become another high-profile victim of an email leak blamed on a Russian hacking group.

Podesta asked Hayden to reconsider the restrictions imposed on Cray.

Hayden returned to the NSA headquarters in Fort Meade, Maryland to work out what to do. On his next trip to Washington, D.C., he told White House staff his decision: Cray could export to wherever they want, barring a few countries that were deemed too high-risk.

"It wasn't computing power we were limiting, just a few actors we didn’t want to have it, and the rationale behind that was there was a changing definition of what constituted security," he said.

"In other words, it wasn't denying another actor computing power so we could win a transient tactical operational engagement, it was preserving the strength of the American computing industry on which we would have to rely over the long term for our success."

He remembered that day in December 2015, when a terrorist attack in San Bernardino, California, led a federal judge to ask Apple to help the FBI unlock an iPhone recovered from one of the shooters.

The former director of the NSA backed Apple over the FBI, not on privacy nor commercial grounds, but because of his broader definition of security.

“[Then-FBI Director] Jim Comey's requests were totally legitimate, but in our view, the cost of conceding exceptional access outweighed the benefits of exceptional access in this case, all within the confines of thinking about security,” he said. 

"Now we could be right, we could be wrong, and there could be other circumstances when we're all for exceptional access because of the physical threat that it entails, but I would just simply invite to examine your conscience: don't be quite so reflexive in your point of view.

"And for God's sake, that which I just described is never a combat between the forces of light and the forces of darkness. It’s a discussion among free people trying to balance things, both of which they'd like to have in full measure - privacy and security and freedom and liberty."