Adm. Mike Rogers, commander of U.S. Cyber Command and director of the National Security Agency, told a congressional subcommittee that increased investments in cybersecurity are a reflection of the world we live in and the evolving nature of cyber threats. He was responding to lawmakers’ concerned about rising budget deficits and potential future cuts to the Defense Department.
“We’ve been (implementing efficiency measures) since Cyber Command was created. The idea was ‘Don’t replicate the billions of dollars investment the nation has made in generating cyber expertise,’” Rogers said. “Look at the world around you. This is not a mission-set that we are going to efficiency our way out of. The investments we are making in cyber reflect the nature of the world we are dealing with from a threat perspective.”
Rogers defended the 9 percent budget increase request for fiscal 2017 before the House Subcommittee on Emerging Threats and Capabilities on March 16. He emphasized collaboration within the agency and with the private sector as the next step in U.S. cybersecurity.
“Our operations to defend DoD networks and the nation’s critical infrastructure proceed in conjunction with a host of federal, industry and international partners,” Rogers said. “No agency has the authority, wisdom or capability to accomplish this mission alone.”
Rogers explained his priorities to the subcommittee, breaking them down into three key missions. His first concern, he said, was defense of the DoD networks.
“I’m very comfortable that we have all the authorities that we need,” he said. “I can do what I need to do in a timely manner to protect our networks.”
His second priority is to support combatant commanders. He wouldn’t go into details due to the unclassified nature of the hearing, but he said that Cyber Command is using real world insights, such as Islamic State militants and the OPM data breach, to structure this mission.
But Rogers’ third mission is “the one area where we still need more collective work … how do you apply DoD generated capacity in the cyber arena outside the government in the private sector? I’ll be honest: it hasn’t been my highest priority. There’s such a disconnect between the requirements of this mission set and where we are in capability. It’s all about prioritization and making smart investments. I’ve consciously prioritized across those three missions, so it’s the next big area we have to get into.”
Rogers has expressed frustration in the past with a lack of cooperation from the private sector. He discussed a couple of programs that he’s implementing to address that issue, including Cyber Guard 16, a nationwide exercise that brings together federal, state and local participants, private industry and commercial infrastructure providers. The Cyber Guard program has increased in scope over the past few years. Rogers said the first exercise only had three participants, but now there are over 100.
“It’s getting to the point now where I’m starting to run into a capacity concern,” Rogers said. “We’ve got more interest than there’s room.”
The Cyber Guard program simulates a nationwide response to cyber attacks on critical infrastructures, like power grids. The exercise occurs every June.
He also discussed another program which he’s experimenting with at the NSA before he applies it to Cyber Command.
“Is there a way to take some of our DoD workforce, have it spend some time in the private sector, and have it come back to us? And have the private sector spend some time with us? That’s among the things we have to do in the future,” Rogers said. “We have to have a broader partnership.”
He also discussed his two biggest concerns for the near future. The first is the education and preparedness level of the individual user, echoing the concerns of other federal cybersecurity leaders. Rogers said that no matter what investments and defensive structures he has in place, the actions of an individual user who clicks the wrong link at the wrong time can make it very difficult to bring those defenses to bear.
He’s also concerned with the evolving nature of targets and proliferation of cyber attacks.
“I feel comfortable with our level of capability,” Rogers said. “What concerns me is capacity. As threats proliferate, our ability to deal with high-end simultaneous complicated threats is what I’m concerned about.”
He said that the cyber world has progressed, especially because of tools that enhance hackers’ abilities to analyze large concentrations of data. This is not the first time he’s made this argument.
“As I look at the evolution of the threat, what concerns me is … data value,” Rogers said. “OPM, Anthem, those are good examples to us. Data now is a commodity … you’ll see increased attacks against big data concentrations.”