WASHINGTON, D.C. – In his keynote address at the Billington Cybersecurity Summit, NSA Director and Commander of U.S. Cyber Command, Admiral Mike Rogers, explained that the Defense Department and corporate information security teams must focus on cyber-resiliency rather than total network protection.
In no other arena, Rogers argued, is it acceptable to totally shut down operations in the face of an attack. However, somehow this is something of a norm when it comes to network defense.
As a more than 30 year veteran of the Navy, he explained how the military does not abort its mission in the face of resistance.
“Resiliency is the ability to sustain damage but ultimately succeed,” Rogers said. “Resiliency is all about accepting that I will sustain a certain amount of damage.”
Part of the admiral’s focus as NSA Director and head of Cyber Command, therefore, will be to ensure that networks — government, private sector and critical infrastructure alike — find a way to simultaneously remedy threats and remain operational at the same time. Partnerships and relationships are central to achieve success in this mission, Rogers said.
“How do you continue to achieve goals in the face of constant penetration attempts?” he asked. Part of the problem here, he said, is that most organizations pour resources and capital into the idea that the majority of time should be spent protecting networks. Rogers said organizations must accept the hard reality that intruders will gain access to systems, and operative plans must be made in advance to ensure networks and business operations remain intact during incident response.
“You must train like you fight, and you don’t wait until the first day of combat to plan your fight,” Rogers said.
This change from all-out defense to a focus on resilience is not a small one, Rogers explained. People in key leadership positions must buy in and recognize that intrusions are inevitable and that as a result of that we have to make certain investments in order to address that reality.
He highlighted five broad areas of focus:
The first is building resilient systems from the ground up, because security can not be bolted on.
Also, in order to create true situational awareness, organizations need to have a clear picture of what is going on within their networks, what normal looks like and what abnormal looks like, because, he said, it is impossible to protect what you cannot see.
His third point is to increase partnerships and information sharing by creating a framework through which organizations can begin to establish these partnerships and use them to work toward goals.
“Cyber-defense has largely been pick-up game, and I don’t think that is going to get us anywhere,” Rogers said.
He also said he is a strong advocate for information sharing legislature, because the amount of information he sees being shared is not equivalent with the attacks he knows are occurring.
His fourth point related to a shift in the perception of the NSA, which is widely seen as an offensive force, to a source of defensive expertise. Rogers characterized this as “working the authority.” He said the NSA needs to be seen as a source of expertise for others. Not only that, but organizations need to understand that they can get security help and expertise from the NSA, the FBI, the CIA, the DHS and other government groups. At the moment, this system is incredibly confusing. What are the differences between the FBI’s expertise and the DHS’s. Cyber Command must clarify to the outside world whose expertise is in which fields and who they can go to with what information.
“We need to re-focus and put the public eye on technological capacity in support of others,” Rogers said.
His fifth point related to the creation of a workforce that can promote cyber-resilience, and by 2016, the government plans to have that workforce of some 6,200 people in place. Rogers made it clear that the Department of Defense is working through the relatively new theater of cyber-threats just the same as everyone else. Cyber-security, he explained, is new for everyone.
Adversaries see the investment in network penetration as a valuable one whether it’s advanced persistent threat groups or criminals seeking credit card data. Billions of dollars made and lost here, the admiral explained.
“This is not a small problem. It’s not going away. Technology will not catch up. This is foundational to the future. I need your help,” he said.
As his military background would imply, Rogers believes in the value of exercises.
“Focus on a particular sector, bore down into that sector and then take the plan and apply it to other organizations,” Rogers said.
On the international level, the NSA Director iterated a need to establish behavioral norms.
“We’re still trying to work our way through distinguishing the difference between criminal hacking and an act of war,” said Rogers. “If this was easy, we would have figured it out years ago. We have a broad consensus about what constitutes an act of war, what’s an act of defense.”
He would go on to explain that we need to better establish standardized terminology and standardized norms like those that exist in the realm of nuclear deterrence.
Unfortunately, unlike in traditional national defense, we can not assume that the government will be able to completely protect us against cyber-threats because the threat ecosystem is just too broad.
While the topic of his keynote was unquestionably defense, the admiral was not able to escape entirely questions about how his agency would overcome the damage done by more than a year of damning revelations about the agency’s vast surveillance apparatus. Rogers said he rejects the premise that says the NSA has ruined its image. “We still are trusted,” he said, “we still have international partners.”
“We always follow the rule of law,” he said. “You can debate whether we should have these laws. Are existing laws constitutional? I try to remind people that the all judgement to date find that the NSA has abided by the law. We have not been found to attempt to undermine the law. And we have protected the information we collect.”
Much of the information that has become public is in no small part because the NSA informs oversight entities of errors, Rogers said. Rogers went on to say if honest mistakes are made, the NSA will acknowledge and take responsibility for those mistakes. There is a difference between a mistake and choice, he said.
“If you violate standards intentionally then you will be held accountable for that choice,” Rogers said. “NSA employees ask themselves everyday ‘What can I do to protect out nation and our allies?’ NSA employees don’t ask what they can do to violate the civil liberty of their fellow citizens.”
*Michael Rogers image via Fort George G. Mead Public Affairs Office‘s Flickr photostream