Cyber information sharing is critically important in helping to begin addressing cybersecurity threats, the commander of U.S. Cyber Command and head of the National Security Agency (NSA) said Tuesday.
“If experience has taught me one thing in the cyber arena it is that this is ultimately about the power of partnerships. About how do you bring together a broad expanse of organizations with different expertise, different capabilities, different perspectives, whether they be in the government, outside the government…how are we going to bring this capability together in a coherent way to help us as a nation deal with a problem set that is only growing in its complexity,” Adm. Michael Rogers said at a Woodrow Wilson International Center for Scholars briefing.
Rogers said that when asked by Congress what they can to help him protect the country from cyber attacks, ““I said really there’s two things–In executing your mission and ensuring that we have the resources and capabilities that we need to generate those capabilities. But, secondly, help create a legal framework that enables us to more rapidly share information both ways. And I always highlight to people this has got to be both ways.”
Rogers said he is interested in the private sector sharing its insights with the government as well as the government pushing out more information and faster to them. “I’m interested in learning from my private sector teammates is what we predicted what you are seeing? Is the intelligence we are generating to help you really of value? What can we do that would make it more effective?…What did you find was effective? How can I replicate that capability, those actions you took that were effective? How can we help to replicate them all across a much broader swath?”
Despite favoring legislative action on cyber sharing, Rogers admits it would not be a panacea to cybersecurity. “It is a beginning to, as I said, a much longer process, but it is an important beginning to me.”
Rogers also highlighted the importance of developing deterrence and norms of behavior in the cyber domain for both the United States and global security “Because right now, I believe, most nation-states, groups, individuals have come to the conclusion that in the current framework there’s little price to pay for the behaviors they are choosing to engage in…I don’t think that’s in the best interests of the world. I look forward to the day when we have concepts of norms, about what’s acceptable and what’s not acceptable. We’ll get there, but it’ll probably take us longer than we need.”
Rogers said the Department of Defense is taking preliminary actions to spur this discussion through this year’s new Cyber Strategy (Defense Daily, April 23). The strategy specifically provokes a conversation on deterrence and norms because it discusses American offensives cyber capabilities and when they might be used.
The Cold War nuclear deterrence experience also teaches two ways deterrence norms can be used in the cyber domain, Rogers said. First is deterrence by denial, in which an attacker’s attempts are highly unlikely to work–if weapons cannot reach their targets or if a cyber attack cannot penetrate a network. The other kind of deterrence convinces an opponent even if they could achieve a successful attack, the cost paid in retaliation would outweigh any initial value gain.
Rogers admitted the toughest challenge in cyber deterrence is against a non-nation-state actor. However, every group values something that can be potentially threatened for deterrence, he said. Nation-states, in contrast, tend to believe the current global structure is in their long term interests. They do not want to gain some immediate advantage if the cost is fundamentally changing the current global power structure, Rogers said.