The head of U.S. Cyber Command says he wants to create an effective early warning system for cyberspace – potentially ringing alarm bells when foreign adversaries are preparing attacks on government or even private networks. But to do it effectively, he says he needs more voluntary sharing of cyber threat information between the federal government and commercial companies.
Adm. Mike Rogers, who is also the director of the National Security Agency, said a key part of Cyber Command’s defensive mission is to use the NSA’s foreign intelligence gathering capabilities to embed sensors abroad so that it knows what “key cyber actors” are doing even before an attack is launched.
“The idea is that instead of just waiting at the point of termination, we can get ahead of this problem set by getting insights at the point of origin where the attack is coming from before it originates,” Rogers told the annual Aspen Security Forum Thursday night. “We want to provide indications and warning that that, ‘Hey, these are the tactics, techniques and procedures the attacker is planning to use, this is what you’re going to see and here’s how you can best structure your defense to defeat it. Between NSA and Cyber Command, we try to do all of that with the private sector, partnering with DHS and the FBI, who are probably our two biggest partners on the cyber defensive side.”
Those partnerships are critical, Rogers said, because while the NSA is mandated to gather cyber intelligence abroad, it is forbidden from doing so with regard to U.S. systems or U.S. persons. And when it comes to data points housed in U.S.-based networks that could provide early warning of an attack, such as adversaries laying the groundwork for a data exfiltration from a corporate system, Cyber Command only has access to the threat indicators companies voluntarily decide to share.
He said a reluctance to proactively share that information was a source of frustration in aftermath of the recent attack by North Korea against Sony Pictures.
“Sony, to their credit, gave us everything we asked for after the hack,” Rogers said. “As a result of that, we were able to generate insights relatively quickly about what we were seeing and who was responsible, but my frustration with Sony was, ‘Hey, this is great, but the horse is already out of the barn. Why couldn’t we have this kind of dialogue prior to the attack?’”
But Rogers says even if the information sharing happened after the fact, it was still enormously valuable and served an important national security purpose. He said he argued, and the White House agreed, that the U.S. government needed to take the unusual step of publicly attributing the attack to a particular country: North Korea, in this case, and vowing that there would be consequences.
“They clearly were trying to use cyber to achieve a coercive effect. This time it was a movie, but what if the next time, a nation state or other actor decides they don’t like a U.S. policy or product or that they disagree with a particular position a company or individual takes? That’s not a good road to go down for us as a nation,” he said. “My concern was that if we did nothing, it would send a signal to other nation states that you can do this without generating any kind of response.”
And while Rogers said the government emphatically does not want companies to become complacent with their own cyber protections nor rely entirely on agencies like his to protect them, in some instances – which must be evaluated on a case-by-case basis – it’s important for the government to take action in response to an attack against private interests.
“If you’re in the private sector and you see the government’s not going to do anything, what does that drive the private sector to do? Do you start to get into hack-backs and cyber mercenaries? If the private sector believes they can’t count on the government, they’re going to conclude they’re going to have to go on the offense themselves,” he said. “My argument was that would be incredibly destabilizing, and frankly it would complicate my life. The number of cyber actors we have to deal with out there would really proliferate. And it’s hard enough as it is right now.”
He said the steps the U.S. took in the aftermath of the Sony hack seemed to have achieved their desired effect in that no attack rivaling that one’s scale or character has taken place since then.
Without elaborating on the reasons, Rogers said U.S. officials have deliberately decided to take a different approach to the question of public attribution for the huge hack of the data systems at the Office of Personnel Management.
But he did say that the OPM attack is a signal of what may become an emerging trend in network attacks by other nation states: because of the proliferation of tools that can readily perform detailed analytics on large data sets, adversaries will increasingly seek to purloin entire haystacks of data all at once and search for the needles later.
“One of my takeaways from OPM is that concentrations of large data now become incredibly attractive,” he said. “It’s no longer just about wanting to find the plans for the F-35 or people trying to see what we’re doing with advanced acoustics or advanced dye technology. And from a defensive standpoint, that makes the job even more difficult.”
Although James Clapper, the director of national intelligence called China the “leading suspect” in the OPM hack during a public forum earlier this month, U.S. officials have not officially nor publicly blamed that country for the attack, and several top intelligence officials continued to pointedly refuse to do so when questioned on stage in Aspen over the past several days.
But Rogers listed several reasons why the trove of personnel information and security clearance investigation records would be attractive to a theoretical foreign intelligence service.
“From an intelligence perspective, it gives you great insights you can use for counterintelligence purposes,” he said. “If I’m trying to figure out why a U.S. person is in my country, whether they’re a tourist or they’re there for some other reason, there are some interesting insights you could draw from the kind of data that was taken from OPM. The second reason that kind of data is attractive is that we’re seeing attackers use their insights about people as individuals to tailor emails that seem completely appropriate to you as a user: it’s from somebody I know, it’s an issue I care about and have been really focused on for a long time. In the last nine months, I have been watching huge spearphishing campaigns coming out of several nations around the world directed against U.S. targets. To me, these things are not unrelated.”