The United States should consider building a "more hardened enterprise structure for some activities," within the Internet, for improved cyber deterrence, said a former director of the Central Intelligence and National Security agencies.

"If we don't act boldly, something really bad is going to happen. Then we'll overreact," said retired Air Force General Michael Hayden, who is now a principal at the Washington, D.C.-based Chertoff Group, during a July 6 event at the Potomac Institute for Policy Studies in Arlington, Va.

While Hayden did not elaborate on the topic of overreaction, he did suggest that bold action would include the concept of a ".secure" domain for critical services separate from public domains such as .com and .net. A secure, walled domain would only allow access to users with certified credentials and would require users to waive much of the privacy they have in a .com environment.

In other words, "if you want to do banking, there's no anonymity," James Mulvenon, vice president at Falls Church, Va.-based Defense Group Inc., later elaborated.

As the Internet currently stands, without various layers with adjusted privacy and security tradeoffs, it does not promote security, said Mulvenon.

"Cyber, as a warfighting domain and as a peacetime domain, is fundamentally unstable," said Mulvenon. "We've built this entire edifice on top of what everyone recognizes as a flawed architecture. It was never designed to have security built in and now we rest some huge percentage of the global economy on an architecture we've basically been duct taping security to for the last thirty years."

Sacrificing privacy for enhanced security--as suggested in a .secure domain--is a model that has worked well for China, at least where network resiliency is concerned, said Mulvenon. China's ability to use "deep packet inspection" to rake all Internet traffic for viruses--and content that expresses anti-government sympathies--has given China a major advantage in cyberdefense.

"We live in an environment now where the adversary is persistently inside the network and we cannot remove them," said Mulvenon, who stressed that leadership should act quickly and enact policy that enables improved cybersecurity.

"The innovation that we see and the level of connectivity that is going on and increasing connectivity is clearly vastly outpacing our security engineering. It's outpacing our policy. It's outpacing our legal understanding of what's going on."

For more:
- see a webcast of the event 

Related Articles:
CRS: Smart grid cybersecurity standards potentially subject to conflict of interest 
NIST cybersecurity standards would apply to Defense contractors under proposed rule
SASC urges behavioral pattern threat detection DoD cybersecurity pilot 
White House cybersecurity proposal would create disincentives, says industry group head