Admiral Rogers Speaking at the Joint Service Academy Cyber Security Summit

Admiral Mike Rogers gave the keynote address at the Joint Service Academy Cyber Security Summit today at West Point. He started by explaining the four tenets of security that he thinks about.

First: partnerships. This includes government, civilian, everyone. Capabilities, knowledge, and insight of various groups, and aligning them to generate better outcomes to everyone. Ability to generate and share insight and knowledge, and to do that in a timely manner.

Second, innovation. It's about much more than just technology. It's about ways to organize, values, training, and so on. We need to think about innovation very broadly.

Third, technology. This is a technologically based problem, and we need to apply technology to defense as well.

Fourth, human capital. If we don't get people working right, all of this is doomed to fail. We need to build security workforces inside and outside of military. We need to keep them current in a world of changing technology.

So, what is the Department of Defense doing? They're investing in cyber, both because it's a critical part of future fighting of wars and because of the mission to defend the nation.

Rogers then explained the five strategic goals listed in the recent DoD cyber strategy:

  1. Build and maintain ready forces and capabilities to conduct cyberspace operations;

  2. Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;

  3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence;

  4. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages;

  5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.

Expect to see more detailed policy around these coming goals in the coming months.

What is the role of the US CyberCommand and the NSA in all of this? The CyberCommand has three missions related to the five strategic goals. They defend DoD networks. They create the cyber workforce. And, if directed, they defend national critical infrastructure.

At one point, Rogers said that he constantly reminds his people: "If it was designed by man, it can be defeated by man." I hope he also tells this to the FBI when they talk about needing third-party access to encrypted communications.

All of this has to be underpinned by a cultural ethos that recognizes the importance of professionalism and compliance. Every person with a keyboard is both a potential asset and a threat. There needs to be well-defined processes and procedures within DoD, and a culture of following them.

What's the threat dynamic, and what's the nature of the world? The threat is going to increase; it's going to get worse, not better; cyber is a great equalizer. Cyber doesn't recognize physical geography. Four "prisms" to look at threat: criminals, nation states, hacktivists, groups wanting to do harm to the nation. This fourth group is increasing. Groups like ISIL are going to use the Internet to cause harm. Also embarrassment: releasing documents, shutting down services, and so on.

We spend a lot of time thinking about how to stop attackers from getting in; we need to think more about how to get them out once they've gotten in -- and how to continue to operate even though they are in. (That was especially nice to hear, because that's what I'm doing at my company.) Sony was a "wake-up call": a nation-state using cyber for coercion. It was theft of intellectual property, denial of service, and destruction. And it was important for the US to acknowledge the attack, attribute it, and retaliate.

Last point: "Total force approach to the problem." It's not just about people in uniform. It's about active duty military, reserve military, corporations, government contractors -- everyone. We need to work on this together. "I am not interested in endless discussion.... I am interested in outcomes." "Cyber is the ultimate team sport." There's no single entity, or single technology, or single anything, that will solve all of this. He wants to partner with the corporate world, and to do it in a way that benefits both.

First question was about the domains and missions of the respective services. Rogers talked about the inherent expertise that each service brings to the problem, and how to use cyber to extend that expertise -- and the mission. The goal is to create a single integrated cyber force, but not a single service. Cyber occurs in a broader context, and that context is applicable to all the military services. We need to build on their individual expertises and contexts, and to apply it in an integrated way. Similar to how we do special forces.

Second question was about values, intention, and what's at risk. Rogers replied that any structure for the NSA has to integrate with the nation's values. He talked about the value of privacy. He also talked about "the security of the nation." Both are imperatives, and we need to achieve both at the same time. The problem is that the nation is polarized; the threat is getting worse at the same time trust is decreasing. We need to figure out how to improve trust.

Third question was about DoD protecting commercial cyberspace. Rogers replied that the DHS is the lead organization in this regard, and DoD provides capability through that civilian authority. Any DoD partnership with the private sector will go through DHS.

Fourth question: How will DoD reach out to corporations, both established and start-ups? Many ways. By providing people to the private sectors. Funding companies, through mechanisms like the CIA's In-Q-Tel. And some sort of innovation capability. Those are the three main vectors, but more important is that the DoD mindset has to change. DoD has traditionally been very insular; in this case, more partnerships are required.

Final question was about the NSA sharing security information in some sort of semi-classified way. Rogers said that there are lot of internal conversations about doing this. It's important.

In all, nothing really new or controversial.

These comments were recorded -- I can't find them online now -- and are on the record. Much of the rest of the summit was held under Chatham House Rules. I participated in a panel on "Crypto Wars 2015" with Matt Blaze and a couple of government employees.

EDITED TO ADD (5/15): News article.

Posted on May 14, 2015 at 1:12 PM • 18 Comments

Comments

Ray DillingerMay 14, 2015 1:59 PM

I had a horrible thought this morning.

It is well understood by people working in the field that there is no way for technology to distinguish between "authorized" attackers - ie, those with good intentions - and "unauthorized" attackers - ie, those with evil intentions attacking via the same means, and this is a fact we remind government types of again and again when they insist that new systems must be vulnerable to additional attacks via "law enforcement key" etc. Systems can be secured against everybody, or against nobody.

The thought I had is this. What if they are fully aware of this but regard systems secured against everybody as a *WORSE* outcome than systems secured against nobody? What if they don't want cyberspace to be secured at all?

The "traditional" security relationship between governments is that all of them spy on each other, all the time. Friendly, adversarial, whatever. There is a balance that borders on being a quid pro quo - No nation expects any other, allied or not, to refrain from spying on them. It appears there's even an understanding between friendly nations to this effect: Spies from friendly nations usually get a slap-on-the-wrist and quietly returned to their homes, as opposed to being held incommunicado, denied representation, and tortured while doing hard time at some hellhole like Guantanamo Bay.

The information uncovered or verified by spying is a critical part of the relationship between nations when they decide in which matters to trust one another. If there were anyone that couldn't be spied on, it would destabilize the way they do business.

So what if the anti-security stance in government really is just an extension of the quid pro quo - what if they're thinking, we have to allow everybody to spy on each other all the time, including allowing adversaries to spy on us and our citizens, because to do otherwise would destabilize the way we have always done it? What if they're just extending millennia-old policy that forbids absolute security except in very few, very constrained instances, to a new playing field?

DeanMay 14, 2015 3:10 PM

Thank you for asking those specific questions. They are the questions that immediately come to my mind, and some variants of them, and questions which, I am sure come to the mind of anyone involved in US public security. (Corporations, colleges, non-profits, vendors, consultants, etc.)

A key problem is: nations have been attacking, and not a few of these sorts of attacks show that they are reconnaissance level. Gathering data, including, very likely, data to be used in case there is ever conflict.

It is like how the Russians or Germans would hide weapons caches and have agents as sleepers and active on soil. But far worse.


It would seem that at the very least some manner of national firewall must be made and plans for segmenting communications in worst case scenarios. But some of these 'worst case scenarios', are very troublesome. Firing missiles, lodging agents, hiding weapons cache, transferring covertly dangerous biological or nuclear weapons is all very different from pulling out the key blocks of jenga puzzles that might hold up our economic infrastructure.

Similar arguments can and have been made about, for instance, scada attacks. But it is by no means just our critical infrastructure companies which are potentially at danger in these circumstances.


Same concerns for any other country, obviously. To open that up and not be nationally selfish.


There are also many mixed threats concerns which should be had. For instance, by having physical access mixed with electronic access can, for instance, introduce poison material into mass produced food and drink material. Many possible variants on that theme. (Contrast with traditional, 'they shutdown our power grid remotely themes', those sorts of attacks are easier to predict and prepare against beforehand, I would argue then mixed attacks.)

(I am aware some forms of mixed attacks are routinely considered, such as biological attack mixed with communications attack, and so on. But many of these ultimately end up with the same easier solutions. For instance, protection against infrastructure communications is a given. Protection against a major financial corporation or food supplier may not be. Or paint vendor. Or vitamin supplier. Or... the list goes on and on. )


DoD funding, I do believe is essential in all these regards. Just as they have been doing, but much more expanded. DHS does perform funding but not as aggressively as DoD is capable of. Maybe that could change. DoD also has much more experience with public collaboration projects that produce good technology. But, maybe that should be shifted much more to DHS.


DeanMay 14, 2015 3:22 PM

@Ray Dillinger

The thought I had is this. What if they are fully aware of this but regard systems secured against everybody as a *WORSE* outcome than systems secured against nobody? What if they don't want cyberspace to be secured at all?

It is a two hands opposed to each other thing. Clearly, had they won out against internet encryption (or even with gps) we would not have the economy and technology we have today.

A problem is, however, there is an information economy in government. Which is more important? Getting information or protecting it. I think the later, but the later is much more difficult to quantify. If you are a spy agency or have that capacity, which all these agencies do, even DHS to a degree, information you can give upstream increases your collective power. That is unbalanced and dangerous.


tyrMay 14, 2015 4:40 PM


Since the beginning C-space has been designed for a
specific task. Maintaining a communication channel
open in the aftermath of a thermonuclear exchange.

It makes it horribly robust when you extend it to
the planet because it is also useful. Once it gets
hooked up everywhere your own attitude makes it
assume the form of your approach to it. Paranoid,
it will confirm your worst fears in ways you were
not able to imagine. Rigidly uptight, it will act
to confirm your worst fears that there are things in
the world you did not wish to know about. Utopian,
you see possibilities everywhere to make a better
world for everyone past all the barriers of fearful
neophobes. Military, you get to practice your way
of life without all the dirty aspects of modern
warfare, screaming, burning stench, and other
sensory assaults.

One thing that might help is to understand that
if you consider the problems as minor rather than
major then they become solvable. Considering all
of Islam as a breeding ground for hostile maniacs
is counterproductive and indescriminate bombing
and drone strikes are not the way to make this go
away. Viewing every individual who iscurious about
the way things work as a monstrous evil hacker
who only lives to ruin holy capitalism and our
sacred government by stomping them into oblivion
with bad laws and draconian attempts to destroy
them for the horrible crime of curiosity is not
the way to solve the problems of society. The
solutions we need are those that make things a
lot better instead of a lot worse. but that is
something that needs rational examination of the
results of past actions. Then act to change the
counterproductive actions without blaming and
shaming no matter how human it is to do so.

Marcos El MaloMay 14, 2015 5:31 PM

"Cyber is the ultimate team sport."

In this context, I imagine he means cybersec, not cybersecs.

DennisMay 14, 2015 6:30 PM

"Every person with a keyboard is both a potential asset and a threat."

ok, I guess now we know where the malware is going.

Icy HotMay 14, 2015 7:29 PM

"Expect to see more detailed policy around these coming goals in the coming months."

Sadly, I expect continued secrecy.

Bobby R.May 14, 2015 8:01 PM

Always loved a good rally talk, especially made by an Admiral. They are always quite insightful and refreshing to the soul. It's interesting that Bruce gets invited to so many of these.

JonMay 14, 2015 9:23 PM

Folks... The Director of the CIA was handing over classified files to the girl he was fucking. He was married to someone else at the time.

That particular lady may have been merely writing a biography. But o lord the ol' KGB would have just pooped themselves over something like that. The new threats are no less sophisticated.

The punishment for so doing? A little publicity, a trivial fine, and 'off you go'. End of career, yes, a comfy retirement, yep, that too.

As Mr. Schneier described before, the best insider attack is when the insider is the boss.

When the deterrents are less than tissue paper, all your security efforts aren't worth a sneeze.

J.

JonMay 14, 2015 11:02 PM

>Chatham House Rules.

The first rule of Chatham House is that there is only one rule.

Paul E. "Marbux" Merrell, J.D.May 15, 2015 1:10 AM

@ "And it was important for the US to acknowledge the attack, attribute it, and retaliate."

Unclear from the article whether this was a characterization of the Admiral's statement or a comment by Bruce, but assuming that "retaliate" means "retaliate via cyberwar" I think it's dead-wrong. We must choose our battlegrounds wisely.

In my long-considered opinion, the drastically increased communication enabled by the Internet and automated translation of human languages is humanity's best chance at achieving world peace. Demonization of an "enemy" culture doesn't work as a pro-war propaganda device when many members of both cultures are communicating and working with each other.

And from that viewpoint, it is fundamentally wrong to make cyberspace a military battleground. Respond to cyber-attacks by other means, but do not wage cyberwar for any reason because it is antithetical to the peaceful resolution of disputes and to fundamental liberties such as Due Process and Equal Protection of the Law. Cyberwar is a corrupting force in what should be a house of Peace, the people of this world assembled.

Cyber-defense is valuable, even vital, but as a society -- if we be sane -- we must seek the end of cyberwar, not embrace it.

Joe KMay 15, 2015 4:52 AM

The problem is that the nation is polarized; the threat is getting worse at the same time trust is decreasing. We need to figure out how to improve trust.

What? But the weekly regimen of remote-control assassinations, the annual regimen of assorted coups and
provocations, the dedicated spying on the entire world's population, the lying your asses off about it
(all those sweet, sweet lies), and hauling off to prison (or trying, at any rate) anyone who reveals the
lies for what they are... Has everyone completely lost their sense of gratitude?

Are we now to believe that these noble gestures have not sent trust-levels to an all-time high?

Inconceivable! Surely the admiral is mistaken!

Wesley ParishMay 15, 2015 6:06 AM

Four "prisms" to look at threat: criminals, nation states, hacktivists, groups wanting to do harm to the nation. This fourth group is increasing.

At a guess, I'd add half-wits in the official, semi-official and unofficial US DoD, the National ?Intelligence? Community and associated factions to the set of people wanting/capable of doing the US harm. PEBKAC. @Bruce, I hope this was made clear to the the Admiral.

Of course, the IoT with 1980s-PC-type capabilities, internet connections, no login authentication and accessible through USB or the like, constitutes an incredibly vast "wetted surface" for the benefit of an attacker: when this is combined with backdoors into COTS,

The CyberCommand has three missions related to the five strategic goals. They defend DoD networks. They create the cyber workforce. And, if directed, they defend national critical infrastructure. [...] We spend a lot of time thinking about how to stop attackers from getting in; we need to think more about how to get them out once they've gotten in [...]

is rather like pushing a dray-load of manure uphill in a spring rain storm. Very refreshing, if you're a mushroom.

bigmacbearMay 15, 2015 12:41 PM

@Joe K: You keep using that word. I do not think it means what you think it means, ;-)

655535May 15, 2015 2:49 PM

This is a lofty show – on the eve of the sunset of the 215 Act or re-authorization.

I hope Rogers remembers some key points. He is a Public Servant. The military is subservient to the people and the Constitution of the United States. He must discharge his duties legally, ethically and economically with full civilian oversight [The people pay his meal ticket – his budget and powers are not unlimited].

[I will add my comments in brackets]

“Rogers then explained the five strategic goals:

1] “Build and maintain ready forces and capabilities to conduct cyberspace operations;

[Which must be legal under the US constitution, not breaking the First, Second, Third, Fourth Amendments and so on. Basically not use the cyber-cannon on civilians and use it on a cost efficient basis only when needed – no more planting root kits and viruses on peoples computers in a scatter gun fashion]

2] “Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;

[With in the law and within the budget!]

3] “Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence;

[While not trampling over the US Constitution, Fourth amendment and other laws – and within budget]

4] ”Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages;

[Within constitutional boundaries and judicial oversight while Not turning American into a police state with a wire taps on every phone – and within budget]

5] “Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.

[While maintaining privacy and Constitutional rights for all American’s communications – no more routing American’s data around the world to record and store for side-stepping USA wire tap laws]

I hope this round of talks by Rogers doesn’t turn into a “Budget Fund Raiser” or power grab for rights by the Intelligence Community. Both would be very negative.

[Excuse the grammar and other errors]

rgaffMay 20, 2015 6:38 PM

"We need to figure out how to improve trust."

Didn't someone say "less lies more trust"? That's the answer. That's how to improve trust. Tell less lies.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.