The federal government’s cybersecurity policy has reached a crossroads, and the upcoming presidential transition is an opportunity to take a long, hard look in the mirror, and decide how to move forward.
That’s according to Adm. Mike Rogers, who runs both the National Security Agency and U.S. Cyber Command. And the self-assessment he wants begins with is how the government purchases capabilities.
“There’s a test within the defense language from last year’s Defense Authorization Act which grants U.S. Cyber Command, on a test basis, for the first time, both acquisition authority and a very small amount of money,” he said during his keynote speech at the Maryland Cyber Conference 2016 on Oct. 20. “So we’re working our way through right now with the Department of Defense, what’s the framework we’re going to put in place to grant those authorities to Cyber Command, and then how are we going to execute those? You’re going to see that start to roll out in fiscal year ‘17.”
He said that Cyber Command, as a traditional Defense Department operational command, doesn’t currently buy, design or generate capability.
“We need to step back and ask ourselves, does that make sense, and is that the model of the future?” he asked.
And that question isn’t limited solely to Cyber Command’s acquisition policies, either. Rogers wants to apply that lens to workforce issues, public-private partnerships, foreign cyber policy, and mobility as well.
“We’ve got to roll our sleeves up as a nation, we’ve got to realize that this is not a short-term phenomenon,” Rogers said. “This is long-term hard work for all of us. We’ve got to step back and ask ourselves ‘what do we do to change the current dynamic that we’re in?’ Because I don’t think any of us would argue that we are where we want to be right now in terms of cybersecurity.”
That’s not to say that it’s all bad; Rogers said there are definitely some positives to the government’s current cybersecurity stance.
“Certainly, if you read the news, it’s easy to step back and tell yourself ‘oh, it’s just getting worse and worse,’” he said. “What I try to tell our team is ‘let’s step back for a moment, let’s think about where we’ve come in the past five years.’”
In that time, the government has widely acknowledged the gravity of the cybersecurity situation. Rogers said he no longer has conversations with agency leaders where he has to try to convince them to care about and devote resources to cybersecurity.
“We are way past debating that this is something that merits attention,” he said.
The government has also done well, Rogers said, in creating well-defined cyber roles, determined the importance of public-private partnerships, and created mechanisms to facilitate them.
“On the other hand, I also remind myself … I think we all have to acknowledge that we’re not where we want to be,” Rogers said. “So I’m just not interested in sitting back, patting ourselves on the back, and saying ‘hey, look how much better things are now than they were.’”
Rogers said that moving forward, agencies are going to have to assess risk, and develop their cybersecurity plans accordingly. Operational security will have to be balanced against open data availability and bring-your-own-device policies.
He continually expressed it as a question of exactly what agencies are comfortable with, and what they deem to be acceptable.
“We find ourselves in a world right now where technology has outpaced the legal and policy frameworks that we have in place,” Rogers said. “I’m not trying to argue is that good or bad, I’m just trying to say hey, look folks, we’ve got to acknowledge that it is. So we’ve got to ask ourselves are we comfortable with that? The second question I think we need to ask ourselves is not only are we comfortable with this, but also, what does it mean, and what are the changes that we need to make given this incredible rate of technological change.”
He particularly applied this to both mobile policy — which he referred to as both foundational to the future and as a double-edged sword — and the Internet of Things, which he said increase the potential points of vulnerability.
“As a society, we do not truly yet understand all the implications of the broader connectivity … where increasingly, simple, everyday devices … are not autonomous anymore. It’s now connected to a much broader set of capabilities,” he said.
His primary example was cars, which are becoming connected and computer controlled in ways that have never occurred before, and which policy is not prepared to address.
“The automobile of today is a series of integrated and autonomous software sets of capabilities
in which a plethora of connectivity to the outside world is occurring around us at a level we don’t understand or have awareness as the operator of the vehicle. It’s just built into the car in a way that none of us truly know or understand,” he said. “So think through the implications of that.”