The United States will need a combination of strategies to combat the growing risk of foreign attacks on computer networks, the chief of the nation’s cyber operations told a packed room at the Kennedy School on Wednesday.
“When it comes to cyber defense, there is no one single strategy, there is no one single tool or capability,” said Adm. Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency.
Appearing at the John F. Kennedy Jr. Forum, Rogers outlined the daunting challenge of defending against cyber threats posed by both foreign nations and independent actors.
“I think it’s fair to say that right now the odds favor the offensive side. That’s in no small part because the reality is today we are dealing with network structures that were designed and built in a totally different environment” that did not anticipate cyber attacks, said Rogers.
Confronting the cyber threat, he said, will require better network protection, altering normal protocols, and changing “the risk calculations for actors so they stop and say to themselves, ‘Even if I could technically do this, would the benefits outweighs the risks and costs?’”
Rogers’ visit came amid reports that the FBI secretly arrested and is now investigating a former NSA contractor in connection with stolen computer code. Asked at the forum about the report, Rogers acknowledged the arrest but declined to comment further.
The admiral touched on foreign cyber hacking cases that have made news in recent years, including North Korea’s infiltration of Sony Pictures’ computers, the Chinese military’s alleged hacking into the networks of U.S. firms to steal industry secrets, and the recent hacking of the Democratic National Committee. Such cases reflect how cybersecurity is now a society-wide concern, affecting individuals, businesses, and government, Rogers said.
“I don’t think any of us are comfortable with the status quo.”
The growing scope of the problem, Rogers said, requires rethinking what defines critical infrastructure in the digital age.
“The power of big-data analytic tools is now making large data concentrations … very attractive and of increased importance to a whole lot of actors out there,” he said, suggesting that systems given little attention in the past, such as those used in voting, have become more likely targets.
Asked about privacy concerns over the NSA’s enhanced ability to collect data, Rogers acknowledged that “technology is driving us [to] a point that the ability to rapidly assimilate a wide range” of information is improving.
“I would also remind people that just because you see something on television or in a film doesn’t mean it is really happening or technically capable,” he said.
At the NSA, he added, “We don’t set the law; we don’t write the law. Our job is to execute the mission we are assigned within that legal and policy framework.” Still, Rogers said, attempts to strike a balance between security and privacy merit a broad policy discussion.
“I think we’ve all got to acknowledge we are in a place now where the current state of technology has outstripped our legal and policy frameworks. One of the challenges for all of us is how we realign those.”
The event was co-sponsored by the Belfer Center for Science and International Affairs.