Is NSA Planning to Beef up Cyber Response Capabilities?
A confident Adm. Rogers says the NSA remains popular with the people it spied on
Adm. Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, said the Obama administration’s controversial spying programs have not cost the country friends or allies either in the technology industry or abroad. Indeed, the agency shows no signs of slowing down at all.
“I fundamentally reject the premise of the question that says the NSA is no longer in a position where it has a relationship with foreign counterparts or with the corporate sector, or that foreign counterparts have walked away from the NSA. That’s not what I’ve observed in my five months as director,” he said.
Rogers’ assertion at the Billington Cyber Security Summit on Tuesday contradicts wide reports of the worsening relationship between foreign partners like Germany and the United States. In July, Germany ejected the CIA station chief in that country over spying allegations.
He rejected criticism that the NSA acted improperly in its controversial data collection and analysis programs, such as PRISM, and many others.
Rogers spent the majority of his speech describing the growing threat posed by cyber attacks against infrastructure, banks, and regular citizens. It was a threat that was “foundational to the future” of Cyber Command, he said, and one that future technology would only exacerbate, not solve. He also suggested that a growing role for NSA-style spying in the fight--not against the Islamic State or al-Qaeda—but against the murky malefactors of the Internet, wherever they may be.
Historically, Cyber Command, which is tasked with cyberwar activity, and signals intelligence collection under the NSA have been separate. It’s one reason why Cyber Command and NSA are dual command posts, under one leader. Rogers’s comments suggested a growing overlap, that more spying was important for better cyber defenses.
He outlined some simple, common sense measures, albeit ones he may not be able to achieve. Cyber Command is pursuing partnerships with businesses that make up the nation’s infrastructure to get them to report data breaches much more quickly.
“I’m a big advocate that we need cyber-sharing legislation,” said Rogers. “When I see the level of [cyber threat] activity out there, versus what’s being shared with us. I see a huge delta…there are clearly huge liability concerns. They’re working on that on the Hill.”
Of course, many business are also concerned that partnering with the NSA could earn them public distrust. The revelation of the scope of the NSA’s activities are pushing more governments to contemplate restrictions on the way that U.S. companies operate, collect and store data on their shores, which could hurt companies but also U.S. foreign signals intelligence activities, since the NSA will increasingly rely on American companies to hold data that the agency wants to mine under the proposed USA Freedom Act. Rogers said that he has made the pursuit of cross-border partnerships on issues like cyber security a key element of his approach to leading Cyber Command. Obviously, the question of how you form better partnerships with parties that don’t trust you becomes moot if you’re convinced that no gap in trust exists.
John “Chris” Inglis, former NSA deputy director, said companies who participated in the agency’s data collection activities deserved the nation’s thanks and respect.
“All the companies that were maligned were simply following the rule of law,” he said. “We need to give them some credit for doing the right thing.”
But technology companies like Yahoo and others may have been forced to comply with the NSA. Recent revelations in court documents show that Yahoo and other companies were compelled to participate in NSA programs or face harsh fines. In the case of Yahoo, approximately $90 million dollars per year. That fee that looks paltry compared to the potential $30 billion in revenue that cloud computing giants may ultimately lose as a result of the NSA revelations, according to David Castro and the Information Technology and Innovation Foundation.
Retired Gen. Michael Hayden, former NSA and CIA director – a man who once said: “We kill people based on metadata” – admitted that revelations of NSA activity under President Barack Obama signal a change in political mood. At some point, Hayden said, the public lost faith in the oversight of the congressional and executive branches and the Foreign Intelligence Surveillance Court, or FISA, oversight over the NSA. Nobody felt like the watchers were being watched.
“You look at the most controversial program… it blew up not because of what NSA was doing…but a significant change in American political culture. A significant faction of our countrymen… said, ‘OK, you told them, you didn’t tell me. That’s consent of the governors, not consent of the governed.’”
A Bolder NSA To Come?
Rogers’s comments suggest that the NSA will not be changing its approach to metadata collection in any meaningful way unless compelled by changes in law. In fact, he seemed to imply that the growing threat posed by massive cyber incidents could serve as justification of expanded types of data collection, bordering on the controversial.
He wants to build up a “full spectrum of capability” to allow the government to respond to cyber attacks and, of course, launch them. But a big part of that is developing better situational awareness, of what’s happening online at all times. Read that to mean more surveillance of users’ online behavior, possibly within the United States, that may pose some threat to larger systems or that could be classified as “not normal.”
“Detecting behavioral changes, that’s where that situational awareness piece is critical for us. That’s the ability to identify what is normal and what is not normal and be able to do it on a scale,” he said. What constitutes normal versus not normal online behavior is in the eye of the beholder and there’s no one who can behold more than Rogers. He emphasized that if an Internet practice remained legal, it was fair game in his eyes and the eyes of the FISA court.
The threat of high-impact cyber attacks is very real, but it also represents the perfect never-retreating enemy to justify expanded use of power.
Inglis, like Rogers, suggested that the NSA’s role as chief protector of the nation’s cybersecurity and the agency’s job of collecting signals intelligence (ie. data) were closely linked. The relationship between cyber-protector and signal snoop would become more apparent going forward.
“I don’t see them at odds,” said Inglis. “You might well use those signals intelligence systems to understand more about cyber threats in the international realm. That’s another aspect of our intelligence that might richly profit from taking a look at what adversaries, be they nations, entities, and you want to know something about that before the event occurs, you might want to interdict that in advance of that threat.” He added that that signals intelligence collection could be expanded, increasingly, on “on behalf of the private sector.”
Each new cyber attack raises the geopolitical stakes. Rogers, in his remarks, called for a clear red line that would determine whether a cyber action undertaken by state or nation rises to the level of war. “There is no red line. There is no sense of consequence,” he said regarding theft of intellectual property online. “We need to get there.”
Cyber Command faces limits in the protection it can offer. The best way to defend from cyber attacks is to acknowledge the break-ins, malware, denial of service attacks will occur with greater frequency and severity. Rogers called for more emphasis on resilience in the face of massive cyber attacks, likening the nation’s network-connected infrastructure to a battleship under constant assault from bombs. “What do you do when you have damage?” he asked, harkening back to his time spent analyzing signals intelligence aboard Navy ships, “what you do is to keep fighting.”
In a strange moment, Rogers asked the attendees, primarily cybersecurity professionals, if any of them had suffered “some form of compromise of their personal information or their personal systems,” after a brief pause, he acknowledged.
“My hands up there with you,” Rogers admitted.
In other words, the NSA sees the looming threat of more consequential cyber attacks as justification enough to do even more data collection under parameters it views as legal.
But that doesn’t mean that they can keep you safe.