U.S. Cybercom Commander talks about 2016 strategy

Other

January 27, 2016

Sally Cole

Senior Editor

Military Embedded Systems

The U.S. Cyber Command’s 2016 strategy centers on defending Department of Defense (DoD) networks and systems, applying Cybercom capabilities more broadly, and cultivating international partnerships.

U.S. Navy Admiral Mike Rogers, who has dual roles as Cybercom commander and chief of the National Security Agency (NSA), spoke at the Atlantic Council on January 21, 2016, outlining Cybercom’s strategic priorities for 2016.

Defense remains the top priority. “We need to ensure that our networks and systems within the Department of Defense (DoD) are free from the presence of others and that we can count on them when we’re executing broad missions across the DoD,” Rogers said at the meeting.

To view Rogers' comments in full, visit the Atlantic Council website, here.

Within the 2016 timeframe, Rogers said he intends to shift the focus beyond network structure and onto systems and platforms as well—because they’re “every bit as vulnerable as our traditional backbone network structure.”

As everyone within this realm knows, the DoD tends to build big-ticket capital investment items that take years to develop and then uses them for years—literally decades.

“When much of what we’re using today was built, redundancy, resiliency, and defensibility from a cyber perspective weren’t core design characteristics,” Rogers pointed out. “So we’ve got this huge capital investment in the form of a network structure that we all use, and much of it is old and wasn’t necessarily built with the requirements of today and tomorrow in mind.”

The solution will involve figuring out how to build and create systems from the ground up in a manner in which cybersecurity becomes a fundamental design aspect, he noted.

Rogers said he views 2016 as an inflection point for Cybercom, which has existed for a little more than five years now. The first years were “largely spent trying to generate capacity and capability in the form of the cyber mission force,” he explained.

Cybercom is operated by about 6,200 dedicated cyber high-end professionals, organized into a series of teams and aligned against three specific missions: defending our department’s networks; being prepared if directed to respond outside of the department to incidents of significant cyber consequence within the private sector; and using that cyber mission force to generate the spectrum of capabilities from the defensive to the offensive to ensure that operational commanders and policy makers in the U.S. have a wide range of options to apply.

Partnerships are another key part of Cybercom’s strategy moving forward. “Increasingly, you’ll see us dealing with allies and friends around the world about how to work together on this cyber journey, because it isn’t unique to the U.S.,” Rogers sais. “Most nations around the world are investing in some form of cyber capability—from defensive to offensive.”

So one of Cybercom’s goals in 2016 is to build on the power of international partnerships. “That international dynamic, particularly as we encounter new ideas about norms of behavior, deterrence, becomes really critical,” he said.

Rogers also stresses the importance of “cyber hygiene” in 2016. “You’ll hear us in DoD sometimes use the slang ‘cyber hygiene.’ One of the things we’re working on broadly across our department is how to create a culture where cyber hygiene and cyber security are every bit as foundational to you as if we gave you a weapon you must ensure that it is appropriately treated, used, always secured,” he explained.

Why create a culture of cyber hygiene? “If we can deal with the basic hygiene, the basic building block, that takes away 80% of the challenges we have to deal with from a defensive standpoint,” Rogers said. “This then lets us focus on the things that really matter—that are either difficult to deal with or potentially offer a really high return.”

As far as a potential “digital Pearl Harbor” looming on the horizon, Rogers isn’t surprised by any of the activity going on and thinks we’ve become somewhat desensitized to it. But every time a major breach occurs—think Sony or OPM—he admits he wonders if this is the attack that will tip things.

Rogers cautioned that if you look at the activity and trends within the U.S. critical infrastructure—power grid and elsewhere—you’ll find nation states, individuals, and malicious actors within those systems. “To date, we’ve not seen on any significant scale a desire to take that access and use it as a way to bring the system down. But what happens when that changes? Threat is a combination of capability and intent, so if the intent were to change we’d have some real challenges here,” he said.