Admiral Rogers Speaking at the Joint Service Academy Cyber Security Summit
Admiral Mike Rogers gave the keynote address at the Joint Service Academy Cyber Security Summit today at West Point. He started by explaining the four tenets of security that he thinks about.
First: partnerships. This includes government, civilian, everyone. Capabilities, knowledge, and insight of various groups, and aligning them to generate better outcomes to everyone. Ability to generate and share insight and knowledge, and to do that in a timely manner.
Second, innovation. It’s about much more than just technology. It’s about ways to organize, values, training, and so on. We need to think about innovation very broadly.
Third, technology. This is a technologically based problem, and we need to apply technology to defense as well.
Fourth, human capital. If we don’t get people working right, all of this is doomed to fail. We need to build security workforces inside and outside of military. We need to keep them current in a world of changing technology.
So, what is the Department of Defense doing? They’re investing in cyber, both because it’s a critical part of future fighting of wars and because of the mission to defend the nation.
Rogers then explained the five strategic goals listed in the recent DoD cyber strategy:
- Build and maintain ready forces and capabilities to conduct cyberspace operations;
- Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;
- Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence;
- Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages;
- Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.
Expect to see more detailed policy around these coming goals in the coming months.
What is the role of the US CyberCommand and the NSA in all of this? The CyberCommand has three missions related to the five strategic goals. They defend DoD networks. They create the cyber workforce. And, if directed, they defend national critical infrastructure.
At one point, Rogers said that he constantly reminds his people: “If it was designed by man, it can be defeated by man.” I hope he also tells this to the FBI when they talk about needing third-party access to encrypted communications.
All of this has to be underpinned by a cultural ethos that recognizes the importance of professionalism and compliance. Every person with a keyboard is both a potential asset and a threat. There needs to be well-defined processes and procedures within DoD, and a culture of following them.
What’s the threat dynamic, and what’s the nature of the world? The threat is going to increase; it’s going to get worse, not better; cyber is a great equalizer. Cyber doesn’t recognize physical geography. Four “prisms” to look at threat: criminals, nation states, hacktivists, groups wanting to do harm to the nation. This fourth group is increasing. Groups like ISIL are going to use the Internet to cause harm. Also embarrassment: releasing documents, shutting down services, and so on.
We spend a lot of time thinking about how to stop attackers from getting in; we need to think more about how to get them out once they’ve gotten in—and how to continue to operate even though they are in. (That was especially nice to hear, because that’s what I’m doing at my company.) Sony was a “wake-up call”: a nation-state using cyber for coercion. It was theft of intellectual property, denial of service, and destruction. And it was important for the US to acknowledge the attack, attribute it, and retaliate.
Last point: “Total force approach to the problem.” It’s not just about people in uniform. It’s about active duty military, reserve military, corporations, government contractors—everyone. We need to work on this together. “I am not interested in endless discussion…. I am interested in outcomes.” “Cyber is the ultimate team sport.” There’s no single entity, or single technology, or single anything, that will solve all of this. He wants to partner with the corporate world, and to do it in a way that benefits both.
First question was about the domains and missions of the respective services. Rogers talked about the inherent expertise that each service brings to the problem, and how to use cyber to extend that expertise—and the mission. The goal is to create a single integrated cyber force, but not a single service. Cyber occurs in a broader context, and that context is applicable to all the military services. We need to build on their individual expertises and contexts, and to apply it in an integrated way. Similar to how we do special forces.
Second question was about values, intention, and what’s at risk. Rogers replied that any structure for the NSA has to integrate with the nation’s values. He talked about the value of privacy. He also talked about “the security of the nation.” Both are imperatives, and we need to achieve both at the same time. The problem is that the nation is polarized; the threat is getting worse at the same time trust is decreasing. We need to figure out how to improve trust.
Third question was about DoD protecting commercial cyberspace. Rogers replied that the DHS is the lead organization in this regard, and DoD provides capability through that civilian authority. Any DoD partnership with the private sector will go through DHS.
Fourth question: How will DoD reach out to corporations, both established and start-ups? Many ways. By providing people to the private sectors. Funding companies, through mechanisms like the CIA’s In-Q-Tel. And some sort of innovation capability. Those are the three main vectors, but more important is that the DoD mindset has to change. DoD has traditionally been very insular; in this case, more partnerships are required.
Final question was about the NSA sharing security information in some sort of semi-classified way. Rogers said that there are lot of internal conversations about doing this. It’s important.
In all, nothing really new or controversial.
These comments were recorded—I can’t find them online now—and are on the record. Much of the rest of the summit was held under Chatham House Rules. I participated in a panel on “Crypto Wars 2015” with Matt Blaze and a couple of government employees.
EDITED TO ADD (5/15): News article.
Ray Dillinger • May 14, 2015 1:59 PM
I had a horrible thought this morning.
It is well understood by people working in the field that there is no way for technology to distinguish between “authorized” attackers – ie, those with good intentions – and “unauthorized” attackers – ie, those with evil intentions attacking via the same means, and this is a fact we remind government types of again and again when they insist that new systems must be vulnerable to additional attacks via “law enforcement key” etc. Systems can be secured against everybody, or against nobody.
The thought I had is this. What if they are fully aware of this but regard systems secured against everybody as a WORSE outcome than systems secured against nobody? What if they don’t want cyberspace to be secured at all?
The “traditional” security relationship between governments is that all of them spy on each other, all the time. Friendly, adversarial, whatever. There is a balance that borders on being a quid pro quo – No nation expects any other, allied or not, to refrain from spying on them. It appears there’s even an understanding between friendly nations to this effect: Spies from friendly nations usually get a slap-on-the-wrist and quietly returned to their homes, as opposed to being held incommunicado, denied representation, and tortured while doing hard time at some hellhole like Guantanamo Bay.
The information uncovered or verified by spying is a critical part of the relationship between nations when they decide in which matters to trust one another. If there were anyone that couldn’t be spied on, it would destabilize the way they do business.
So what if the anti-security stance in government really is just an extension of the quid pro quo – what if they’re thinking, we have to allow everybody to spy on each other all the time, including allowing adversaries to spy on us and our citizens, because to do otherwise would destabilize the way we have always done it? What if they’re just extending millennia-old policy that forbids absolute security except in very few, very constrained instances, to a new playing field?