Cybercom Nominee Emphasizes Legislation, Transparency
By Cheryl Pellerin
American Forces Press Service
WASHINGTON, March 12, 2014 President Barack Obama’s nominee to be director of the National Security Agency and commander of U.S. Cyber Command said yesterday that legislation and transparency are critical to the nation’s security in cyberspace.
Navy Vice Adm. Michael S. Rogers shared his views with the Senate Armed Services Committee during his confirmation hearing. Now serving commander of U.S. Fleet Cyber Command and U.S. 10th Fleet, Rogers also is nominated to receive his fourth star and to be director of the Central Security Service. If confirmed by the Senate, he would succeed Army Gen. Keith B. Alexander, who is retiring.
“We face a growing array of cyber threats from foreign intelligence services, terrorists, criminal groups and ‘hacktivists’ who are increasing their capability to steal, manipulate or destroy information and networks in a manner that risks compromising our personal and national security,” Rogers said in his opening statement.
“They do so via a manmade environment that is constantly evolving, and through the use of techniques and capabilities that are continually changing,” he added. “This is hard work, and it requires change -- something seldom easy either for individuals or for organizations.”
If confirmed as Cybercom commander, Rogers said, his priority will be to generate the capabilities and capacities the military needs to operate in the dynamic environment of cyberspace, providing senior decision-makers and fellow operational commanders with a full range of options in that arena.
He will partner aggressively with U.S. allies and partners, those in the private and academic sectors, the Defense Department, government agencies and organizations, and Congress, the admiral said.
“I am also mindful that Cyber Command and NSA are two different organizations, each having its own identity, authorities and oversight mechanisms, while executing often related and linked mission sets,” Rogers said. “Each has the potential to make the other stronger in executing those missions, and I will work to ensure each is appropriately focused.”
The admiral said he would run the agencies in a manner that protects the civil liberties and privacy of the nation’s citizens and ensures strict adherence to policy, law and oversight mechanisms.
“I will be an active partner in implementing the changes directed by the president with respect to aspects of the NSA mission,” he added, “and my intent is to be as transparent as possible in doing so and in the broader execution of my duties, if confirmed.”
He thanked the men and women of NSA and Cybercom for their commitment to the nation’s security and their professionalism, and said he looks forward to joining the team if he’s confirmed.
Rogers answered a range of questions from senators, but the majority focused on a September 2013 news report of a hacker intrusion into Navy computer systems, the need for cyber legislation, and Rogers’ solution for Americans’ distrust of NSA prompted by Edward Snowden’s 2013 media leaks of NSA collection practices.
On Sept. 29, the Wall Street Journal reported that hackers possibly related to Iran broke into unclassified Navy computers before a security upgrade had taken place, and that it was November before the Navy had rid the network of the hackers. The report cited unnamed U.S. officials. Rogers confirmed that a segment of the Navy’s global unclassified network was compromised by an opponent who was able to gain access to the system.
“I generated an operational requirement not just to push them out of the network,” he said, “but I wanted to use this opportunity to do a much more foundational review of the entire network … to drive change within my own service.”
The admiral said the damage was not significant because the hackers did not opt to engage in destructive behaviors.
“My concern from the beginning was, ‘Well, what if they had decided that was their intent?’” he told the Senate panel.
Rogers called it a “significant penetration,” and noted that over the past few months, he had updated the committee’s staffers multiple times on his comprehensive operational response “to put a much longer-term effort in place.”
Other questions were related to the president’s launch in February of a Cybersecurity Framework, a voluntary how-to guide for organizations in the critical infrastructure community to enhance their cybersecurity. Because it hasn’t been possible over the past few years to get a cyber bill through Congress, the framework is seen as a way for industry and government to try to strengthen the security and resiliency of critical infrastructure through existing standards, best practices and guidelines that would improve critical infrastructure cybersecurity.
In response to a question from the panel about the effectiveness of the voluntary framework in protecting the nation from a cyberattack, Rogers called it a step in the right direction.
“But I do believe that in the end, some form of legislation that addresses both the requirement and need to share information, as well as trying to address the issue of setting standards for critical infrastructure for the nation, in the long run is probably the right answer,” he said.
Another question from the panel was on the necessity of a provision in cyber legislation that gives commercial companies liability protection from their customers when the companies share information about cyber intruders with the government.
“I'm not a lawyer, but my sense is that it's a critical element of any legislation,” Rogers said. “I believe to be successful, we ultimately have to provide the corporate partners that we would share information with some level of liability protection.”
The admiral added that he believes commercial firms would be much less inclined to share information without such a provision.
As to the timing on getting such legislation in place, Rogers said, “The sooner the better. It is only a matter of time, I believe, before we start to see more destructive activity. That is, perhaps, the greatest concern of all to me.”
The panel posed several questions about distrust by the American people and the international community of the NSA after the media leaks last year by Edward Snowden that disclosed NSA collection of telephone metadata of U.S. citizens in the United States. Other panel members were bothered by the number of Americans who consider Snowden a whistleblower rather than a lawbreaker.
Rogers said he believes one of his challenges as NSA director, if confirmed, is to determine how to engage the American people, and by extension, their representatives, in a dialogue in which they have a level of comfort as to what NSA is doing and why.
“That is no insignificant challenge for those of us with an intelligence background, to be honest,” the admiral said. “But I believe that one of the takeaways from the situation over the last few months has been, as a senior intelligence leader, that I have to be capable of communicating in a way that highlights what we are doing and why, to the greatest extent possible. I think we can be a little more communicative about why we are doing this, what led us to these kinds of decisions.”
Rogers said the dialogue should be much broader than the National Security Agency, because the discussion is about more than the intelligence aspect of security.
“In the end, this fundamentally boils down to an assessment of risk, in terms of our security as a nation as well as our rights as individuals,” he said. “We value both, and we have to come up with a way to ensure that both sides of that risk coin are addressed.
“But we should never forget that there is a threat out there that aims to do us harm,” Rogers continued, “that does not have the best interests of this nation in mind, and wants to defeat what this nation represents.”
(Follow Cheryl Pellerin on Twitter: @PellerinAFPS)