Rogers: Why data is critical infrastructure
The head of the NSA says that in the wake of Russia's hacking of the Democratic National Committee, the U.S. has to rethink what critical infrastructure means in a digital age.
Adm. Mike Rogers, head of the National Security Agency and Cyber Command, wants a rethink of data as critical infrastructure.
When it comes to high-tech spying and infiltration, Russia is a peer to the U.S., the head of the National Security Agency told attendees at the WEST conference in San Diego. Russia's full range of capabilities were on display against the U.S. in an attempt to influence the 2016 presidential election, Adm. Michael Rogers said.
"We're very confident -- hey look, this happened," Rogers said about Russia's information operation against the U.S. in 2016. "And so, I think the challenge now is so what does that mean and what are the implications for us and is that acceptable?"
Rogers, who is also head of U.S. Cyber Command, said that Russia's actions require that the U.S. re-evaluate how to define "critical infrastructure" in a digital age.
"We tended to view historically critical infrastructure as something associated with an output: air traffic, pipelines, the financial world," he said. We didn’t ask ourselves about “information, data and fundamental processes like the ability to ensure a high confidence that in a western democracy the electoral outcome is actually reflective of the majority of our citizens -- which is at the heart of the democratic model."
He said that databased information increasingly has value of its own -- as was demonstrated by the theft of millions of personnel records from the Office of Personnel Management. "You saw it with the Russians the way they penetrated systems, removed data and then provided that in a very public, unaltered format, so we've got to work through that," Rogers said.
It's a global challenge, he added. "You're seeing this play out in Europe now -- we need to work with a broader set of nations to attempt to clearly signal, I believe, this is unacceptable and drive the calculus in a different way."
The Obama administration in its waning days did declare that elections systems are critical infrastructure, a move that has faced strong opposition from a number of states, and was recently the subject of a disapproving resolution from the National Association of Secretaries of State.
Beyond changing the way the U.S. looks at data and election systems, Rogers said, the country needs to make a number of cyber policy changes over the next decade.
On the military front, offensive and defensive cyber capabilities must be pushed down to the operational tactical level, he said.
"Offensive cyber in some ways is treated like nuclear weapons in the sense that their application outside the defined area of hostilities is controlled at the chief executive level and is not delegated down," Rogers said.
He argued that the U.S. needs to engender confidence in policy makers to feel comfortable pushing authorities down to the tactical level.
"We should be integrating this into the strike group," he added. "We should view this as another toolkit that's available to a commander."
He also advocated for changing the way the military distributes cyber forces, saying small teams should not be permanently attached to specific departments or commands.
"How do we treat any high-demand, low-density resource in the [Department of Defense]?" he asked. "We traditionally try to centralize it and then prioritize its application by risk and operational priority. And I would argue we need to do the exact same thing in cyber."
Rogers also advocated for eventually co-locating private-sector cyber entities with government.
In the military, he said, the goal is to bring data, perspectives and elements of the broad enterprise together in a common location to execute a specific mission.
"How do we do this with the private sector?" he asked. "And how do we, for example, take advantage of the sector constructs that are in place for the 16 segments in private industry that have been designated as critical infrastructure to the nation? How do we take advantage of that and integrate at that level?"
Regarding the private sector, Rogers added that the military must learn more from industry about practices to mitigate insider threats, and the government should look to the private sector for more help in developing offensive cyber weapons just as the DOD turns to industry to develop kinetic weapons.
Rogers said that he expects the Trump administration to release its cyber executive order in the "immediate near term." He said that he has participated in discussions with the president about how to approach cyber going forward.
"The biggest input that I have tried to provide ... is take advantage of the opportunity to step back and look at this with a new set of eyes and say, 'Look, if we were creating this from the ground up, how would we do it?'" he said.