Human Capital and Cyber Security: a Keynote by NSA's Admiral Rogers
NSA's Rogers: "I'm here because I'm part of the Maryland cyber ecosystem."
Early in his keynote NSA Director Admiral Michael Rogers said, "I'm here because I'm part of the Maryland cyber ecosystem," and his talk concentrated on the centrality of workforce development to his organizations' ability to accomplish their missions. The success of the National Security Agency and US Cyber Command, and their "ability to generate operational outcomes," depend upon their people and their partners.
"We are not where we want to be in cybersecurity," Rogers said. "We've got to ask what we can do, working together, to address the cyber challenge." He thought that, second to developing an effective workforce, information sharing among the public and private sectors was the single most important way of doing so. "One of our government objectives has to be simplifying the ways the private sector can interact with us. You, the private sector, need to tell us what you need."
But human capital, not technology, remains the biggest part of that challenge. He's proud of the high rate of interns who go on to careers at NSA, and he encouraged more students to consider pursuing internships at the agency.
He closed by asserting that all organizations "must acknowledge that despite your best efforts, you're going to be penetrated, and you must think about how you will deal with being penetrated by the opposition." Dealing with this reality is a great leadership challenge, and leaders cannot forget the importance of motivated men and women.
Admiral Rogers then took a series of questions in a session moderated by the CyberWire' producer, Dave Bittner.
Is our ability to defend cyberspace better today than it was ten years ago?
"Think about where we've come over the last five years. We are way past debating that cyber is something we need to pay attention to." Rogers sees widespread recognition that we face challenges only a focused effort will successfully address. He thinks the creation of "lanes within the Federal Government for who does what" has been an important step forward, as is creation of channels for cooperation with the private sector. "But we still need to do more work. We've got a transition point coming in January [that is, a new Administration and a new Congress] and that's a great opportunity to take stock. Are our assumptions right? How do we assess our partnerships and teamwork? And we can't forget the inherently international dimensions of this."
One of your predecessors, General Hayden, is quoted this week as describing Russian hacking of the Democratic National Committee as a legitimate intelligence operation. Obviously legitimate operations aren't welcome ones, and they also call for a response. Do you have any reactions to his characterization?
"We've acknowledged that the Russians were behind the hacking of the DNC, others. We need to step back and think about the implications of this. In some ways I'd argue this is a fairly consistent pattern for the Russians over time, and cyber has enabled them to do much more in this regard. Fundamentally, as a nation, it's important that we believe the mechanisms of government can be trusted. The question we must answer is, how can we engender that trust and confidence, and send this message to rest of world?"
What do you think of the probable separation of US Cyber Command from NSA?
"The President's got this under review. Give it some time; see what the process generates. It will be my job to make it work.
Technology's evolution is outpacing our ability to train a workforce. What are the implications of this, especially with respect to acquisition?
Rogers said that, as an intelligence organization, NSA's acquisition process is fairly fast and agile. On the other hand, US Cyber Command is a "traditional DoD command," with all that implies for acquisition, and Rogers thinks "we need to ask ourselves if that makes sense." Cyber Command now has, as a test, both acquisition authority and a small amount of money for FY 2017, and we should watch that pilot with interest.
Mobility is a mess. How is the agency trying to improve the certification process?
Rogers acknowledged that mobile computing is not only the future, but the present. "It's also a bit of a double-edged sword": connectivity brings both opportunity and risk. Mobility has to be approached in terms of an organization's risk assessment. He noted (to some laughter) that he has two Millennial sons (one of them a Navy officer) both of whom think that the US Constitution somehow overlooked what should have been an enumerated right: "the ability to access whatever data you want in whatever format you choose." While risk management isn't a one-size fits all exercise, "Trust me—there are nation-states using your connectivity against us every day." NSA and Cyber Command are working to provide unclassified connectivity in form that will afford high confidence that these risks are minimized.
What is the significance of open source intelligence in national security as technology continues to be compromised at a high rate?
Rogers began by explaining "open source" in this context to those in the audience who might confuse its meaning with that used in open-source software. Open source intelligence, "OSINT," he explained, is intelligence derived from unclassified sources that are readily available to all. "Experience tells us OSINT represents another primary means of capturing intelligence—insights we may not have from other sources." He noted that every source, every "INT"—SIGINT, HUMINT, etc.—has inherent limitations. Not everything you see or hear can be believed, no matter the INT. "OSINT isn't going away, and it represents an enormous potential source of insight."
What can you tell us about the challenges of the Internet-of-things, which was never designed to be secure?
"We've got to be honest—as a society we don't yet understand the implications of the IoT," Rogers said. Ordinary objects are now connected in ways we don't generally appreciate, and now offer vulnerabilities we don't expect. As an example of this change he contrasted the connectivity of today's automobiles with the cars that were around when he learned to drive.
This shift extends also to social media. "You need to think about the social media profile you're creating. You need to think about what information you're comfortable providing to the world." We haven't yet thought through the implications of the IoT and social media, and what it means for us as a nation.
We also find, Rogers said, that technology has outpaced our legal and policy frameworks. We must also ask ourselves what this means, what changes it may induce us to make, and whether we're comfortable with those changes.
How does Maryland plug into the Department of Defense the way Silicon Valley and Boston seem to be doing?
Rogers thought there were many of ways of interacting with the Department of Defense, and that it was time to move beyond talking about such interaction and acting to make it a reality.
What's the role of NATO, and what's the United States' place in it?
NATO acknowledges cyber as an operational domain, Rogers explained. The United States is one of the twenty-eight members of the Atlantic Alliance. We've shared our experience with our Allies, and we continue to derive benefit from them.
Admiral Rogers closed with some gracious words for Maryland's place in the cyber security ecosystem, and with a final reminder of the importance of human capital and workforce development. In this last respect it's worth noting that he was introduced by a young potential member of that workforce—a rising high-school junior at Loyola Blakefield, a Baltimore County school with a strong, active, and nationally recognized cyber program.