Admiral Michael Rogers, commander of US Cyber Command, director of the National Security Agency (NSA) and chief of the Central Security Service, speaks during the Armed Forces Communications and Electronics Association Cybersecurity Summit in Washington, DC, May 28, 2014. AFP PHOTO / Saul LOEB (Photo credit should read SAUL LOEB/AFP/Getty Images) (SAUL LOEB / AFP/Getty Images)
On April 3, Adm. Michael Rogers became commander of the U.S. Cyber Command and director of the National Security Agency, both headquartered at Fort Meade, Maryland.
On June 24, Rogers discussed his initial thoughts as ďthe new guyĒ on the job as the nationís top cyber warrior during a keynote address to a cybersecurity conference in Baltimore organized by the Armed Forces Communications and Electronics Association International. Following are edited excerpts:
Thank you very much for taking the time from your very busy days to focus on a topic that I think is of critical importance to us as a nation: this idea of how do we maintain security in a cyber arena in a world where cyber continues to grow in importance and, at the same time, the level of vulnerability that is present within our cyber systems has probably never been greater. So thatís quite a challenge for anybody.
Iíve now been commanding the United States Cyber Command and the director of the National Security Agency for almost 90 days, so I have just enough knowledge now to be truly dangerous. Iíll share with you a few thoughts. One of my first take-aways is cyber is the ultimate team sport. There is no one single organization that has all the answers, there is no one single technology that will solve all of our problems, meet all of our challenges. This is a mission set that does not know clearly defined lines. In the Department of Defense, we traditionally often like to use geography as one way to align our responsibilities, to define our problem sets ó our networks just flat out donít recognize geography, which is one reason why U.S. Cyber Command is a little different. It is organized as a global command focused on a particular mission set.
The role of partnerships
This is about creating partnerships, about how do we bring together the expertise of the private sector and academia with the capabilities that a large entity like the federal government brings to the fight. How do we bring this all together, and how do we do it in an environment where at times, quite frankly, parts of the team arenít fully trusted? And thatís where I put on my hat as the director of NSA and have to publicly acknowledge one of my challenges in that job is ensuring the nation understands what we do and why, because that hasnít been much a part of the discussion over the last year or so.
Those partnerships exist within the Department of Defense, as the services and the joint world come together, to generate capacity for the department, and, by extension, the nation. Whether itís operating and defending our own networks within the department, whether it is directed by the president or the secretary of defense to be prepared to apply the departmentís capability in the defense of critical infrastructure. Again, cyber is not unique in that regard. The Department of Defense provides capabilities to support civil authorities in a wide range of scenarios almost every day all over this nation; so cyber is no different in that regard. But itís different in the sense that itís just something new.
So one of the things that I find in my current job is I spend a lot of time as a senior trying to create those relationships, those partnerships. Whether itís yesterday, for example, the secretary of Homeland Security, myself and the FBI director getting together trying to talk about, ďSo what can we do collectively between our organizations to help build that partnership, to help the U.S. government apply its capabilities to support the broader civil sector thatís out there?Ē
I believe that cyber legislation remains a very important part of this journey because while the voluntary basis for information sharing that we have been using for the last few years has shown some progress, it just has not gotten us where we need to be. And I believe we have to come up with some vehicle to help the private sector deal with its very valid concerns about liability, how itís going to deal with the liability it potentially incurs if it shares information with the federal government, if it takes action based on information the federal government provides.
But in the end, if we canít create an environment where we have a dynamic information flow and a common situational awareness between particularly critical infrastructure in the civil sector and the capabilities that the U.S. government brings to this fight ó whether it be in the form of DHS and their capabilities, whether it be in the form of U.S. Cyber Command and the National Security Agency, whether it be with FBI, the Secret Service and law enforcement piece ó if we canít bring this all together in a real-time basis, itís like weíre fighting with one hand tied behind our backs, and itís a losing defensive proposition to me.
The partnerships in particular become so critical for us. When I look at U.S. Cyber Command specifically, the Department of Defense is in the midst of a three-year journey thatís going to create a cyber workforce of approximately a little over 6,000 individuals. U.S. Cyber Command is leading that effort by partnering with the services because Iím always quick to remind my joint teammates itís the services that generate capacity and capability. The joint world applies those capabilities, applies that capacity, but without strong service partners we cannot achieve what we need to do.
Building, maintaining a cyber workforce
I tell you, when I started this journey in cyber in uniform for me about 10 years ago as my first tour where I really started working cyber, I had two initial concerns at that time. The first was: Will the manning and the manpower policies that we use in the department enable us to create a cyber workforce in uniform that has the requisite knowledge and that will change over time to stay consistent with the threat and challenges? I look back over a decade and I have been very pleasantly surprised at our ability to build, recruit, train and obtain a very high-end cyber workforce. As I try to tell our leadership ďLook, cyber is not different than any other aspect of life in uniform; we are not going to compete on the basis of pay.Ē If the metric is how much weíre going to pay these highly capable cyber warriors, weíre not going to be able to pay as much as we do on the outside. Where weíre going to make our difference is we have some things that we can offer that are not as readily available on the outside. Weíre an organization with an ethos of service, the idea of dedicating oneís life to something bigger than oneís self. That is a powerful idea that resonates with people; that is what life in uniform is ultimately all about to me.
We are going to give people the ability to apply a very important skill set in the defense of the nation; thatís a real positive edge for us. And weíre going to do it in a career pattern that will enable you to grow over time, that will give you increased responsibility over time, and will enable you to see the world while youíre doing it, and weíre going to give you a lot of responsibility very early. Those are all real positives to me in terms of our ability to recruit and obtain the kind of men and women that we need. Because in the end I have great appreciation for technology. But what truly gives us our edge is not our technical capability, itís the men and women, the gray matter they bring to this fight and the heart they bring to this fight; that is our ultimate difference.
The second thing when I think back 10 years ago when I first started my journey in cyber was I was concerned that it was probably going to be challenging not just to obtain and build a workforce, but how were we going to be able to sustain it over time? Given the rate of change in this environment, how do we ensure that their skills remain relevant over a 10-, 20-year career in a field where the technology is changing fairly rapidly? That is still a bit of a challenge for us; thatís one area where I think collectively weíve got to step back and say to ourselves, ďYou know, maybe we need to take a look at how can we do things differently.Ē Iíve already made the argument on the NSA side, for example, if we canít build a pattern where men and women are coming in and out of the organization over 20 to 30 years, we are not going to stay current with cutting-edge technology, and I think thatís important for us. Youíve got to create mechanisms where our workforce can spend time with us and then can potentially shift to another set of experiences outside us and then come back. Thatís a little harder to do in the uniform world, but itís something Iím going to talk to the services about how potentially can we do that?
The federal-civilian interface
The other thing that I think we really need to spend a lot of time on is how do we help our civilian counterparts understand how the federal government is organized to provide them cyber support and just how they can interface with us? I just had this conversation yesterday with a couple seniors where I said, ďYou know letís be honest with ourselves, if youíre outside the federal government right now is it a challenge at times to figure how are we organized? How is the government organized and whatís the expectation for individual companies to interface with us?Ē Do we want them to go to the DHS, do we want them to go to the FBI, do we want them to go to the DoD; whatís the right answer? Should we take a sector-specific approach? Are we going to do this more broadly? We are working our way through those steps right now, but our ability to create those partnerships is critical to the future because the reality is I believe that in my lifetime, as the commander of the United States Cyber Command, that this nation will see, either from another nation-state or a group or a set of individuals, efforts designed to cause destructive cyber impacts against critical U.S. infrastructure. I believe that that will happen in my lifetime ó my service lifetime.
So one of my primary focuses is how do you generate the capacity to stop that? And one of the conclusions Iíve come to is: DoD is only going to be one part of this. In the end, itís about that broader set of partnerships that are going to be key to our success. How are we going to do that? What are the expectations and the relationships that weíre going to create? How do we share situation awareness across government and private lines? Thatís a little unusual for us, but in my view, thatís what we need ultimately to be able to do.
So as the new guy coming up on 90 days in command, thatís designed to give you a sense of what are the things that I tend to focus on right now and what do I think are some of the challenges.