Adm. Rogers: Government Needs Private Industry to Join Cyber Fight

Securing the cyberspace will get worse before it gets any better, warned Adm. Michael Rogers, USN, director of the National Security Agency (NSA) and commander of U.S. Cyber Command.

“The very technical foundation of the world we’ve created with the Internet of Things is going to exacerbate [security vulnerabilities], not make it easier,” he said. Now, it’s not that the Internet of Things is bad, he pointed out. “As a private citizen, I love the convenience. But I also acknowledge it brings inherent challenges when we’re trying to defend something.”

As such, the U.S. government must work harder to better align its agencies to counter cyber attacks, a move that also will make it easier for private companies to join in the cyber fight, Adm. Rogers said during his keynote at the SAP NS2 Solutions Summit on Thursday. “We’re talking about something that I think is very foundational to us as a nation, and I would argue, to the broader world about how we are going to deal with the challenges of this digital age we all find ourselves in.”

The cyber legislation passed by the U.S. Senate on Tuesday is a good first step, Adm. Rogers said. “It is not an end-all, be-all. It is not a silver bullet. It is the first step on longer road to how we get to this public-private partnership.”

He tried to assuage fears that the bill will tantamount to sanctioned government spying on citizens. "As the director of NSA, I am not interested in the flow of personally identifiable information in the cybersecurity mission set. It slows us down. Under the legal framework we work under, if I encounter data associated with U.S. persons, I have to stop, I have to control it, I have to put it in a separate area, I have to review it and then decide if there is a legal issue."

Adm. Rogers vocalized support to designate Cyber Command as a fully fledged combatant command, a policy shift that would give it better command and control structure. “The reason why I have been a proponent of this is … centers on the operational touchstones that I try to constantly pound into the team: speed, agility and precision," he said. "This is how you can make U.S. Cyber Command faster and more agile. We’ll see how this all plays out.”

He called for government and industry to harness the power of partnerships to tackle the mounting problems associated with protecting the cyberspace. But such collaborative efforts must adhere to a clear delineation between public and private security functions. It is unrealistic to expect private businesses to take on nation-states attacking their networks, he said, and it is unworkable to expect the government to do it all. “If you want me to defend your network, I need to be inside your network,” he said. “Quite frankly, in our construct as a nation, think about the implications. Do you want the government or the military out there in private networks?”

Capitalizing on the human dimension—often said to be the weakest link in the cybersecurity chain—offers as much opportunity as it does challenges, Adm. Rogers acknowledged. “This is the one mission set I can think of where we have literally made every single person in our department an operator. When we give you access to that keyboard, when we give you access to those systems, you are now a potential point of opportunity, but you’re also a potential point of vulnerability," Adm. Rogers said. “Education and the human dynamic is a huge aspect of how we’re going to solve this and move forward.”

Approaching the problem also means leaders must break out of their comfort zones. “If you told me … I was going to be dealing with a motion picture company about cybersecurity and a major penetration—in this case Sony and the destructive act the North Koreans took against some of Sony’s corporate systems—if you had asked me about that years ago, I would have said there’s no way that’s going to happen. I’m a military guy.”

Still, human vulnerabilities pose the greatest threat to cybersecurity, said Maj. Gen. John Davis, USA (Ret.), who served as the senior military cyber adviser to the under secretary of defense for policy and acting deputy assistant secretary for cyber policy. “We have found the enemy, and it is us,” Gen. Davis said during a panel discussion.

But the heap of fault planted on employees’ poor cyberhygiene or lack of training is misplaced, countered Robert Bigman, a recent retiree from the CIA after a 30-year career in which he is recognized as a pioneer in the field of classified information protection. The community needs a healthy mix of good practices and technology that will ferret out malware, even in the most advanced attack attempts that stump the experts, he offered. “Some are so sophisticated that we can’t educate them away," Bigman said of the attacks. "There has to be another way. The technology has to be developed that would discern some of the most sophisticated attacks."