NSA and Cyber Command: building adaptive systems and human capital.
Admiral Michael Rogers began his closing keynote at the Billington CyberSecurity Summit on a note of optimism. He said he was energized by the challenge of creating the future, and of having to do so without being able to take a break. He thinks the Department of Defense cyber strategy—now some eighteen months old—is fundamentally sound, and he thinks that within its framework "We've significantly improved defensive capabilities, down to the unit level." He also noted with some satisfaction (and refusing to go into further detail—"I want to give ISIL as little information as possible") that the US is using cyber operations in "a very offensive way" against ISIL. "We're having an effect both tactically and in the information domain."
He acknowledged difficulties and challenges that remain, and spoke about his frustration with "repeating discovery," that is, having to relearn lessons already learned. Looking forward, for both NSA and Cyber Command, he expressed his desire to shift from a focus on networks toward thinking in terms of systems, capabilities, and especially data. "The power of big data analytics makes data concentration very attractive," Rogers said. This is especially true insofar as data have become an increasingly important target. Thus the main line of technological advance he's interested in pursuing will be big data analytics, and with it the automation required to manage those data and stay ahead of the adversary. "We need machine learning to take defense to the next level of speed and effectiveness." He also believes his organizations need to "get to learning and adaptive systems" capable of adapting in real time.
With respect to Cyber Command, Rogers said that "We're moving beyond generating the force." The command is now sufficiently mature that we're ready to begin measuring its readiness to accomplish its mission.
Rogers sees human capital as holding a place of central importance for both the organizations he leads. At Cyber Command, a very traditional military path is open to the people. The Services have concluded that cyber is a mission set requiring dedicated expertise, and that will have over time a positive effect on the force. Cyber Command needs to sustain itself over time, which means continuous training and in-depth knowledge over time." The military career structure is still very much up-or-out one, and Rogers thinks this model needs some reassessment.
In NSA, Rogers sees a different set of workforce challenges, and a need to "step back, look at skill sets, and consider recruitment and retention." In some respects military retention is easier than retaining civilian expertise, and NSA's workforce is to a significant extent a civilian one. While it "can't be just about the money," he recognizes that retention depends upon competitive compensation. He also noted, in response to a question about insider threats, that it's "problematic" to say you won't have an insider threat. He also saw policies designed to protect against insider threats as having a recruitment and retention dimension: "Your policies can't drive away the workforce you need to attract."