Director of the National Security Agency and commander of U.S. Cyber Command Adm. Michael Rogers told a cybersecurity and policy conference in Aspen Thursday it’s only a matter of time before a major cyberattack it deployed against critical U.S. infrastructure.
“I believe that during my time as the commander of United States Cyber Command, I will be directed to deploy capability from U.S. Cyber Command to defend critical U.S. infrastructure, either in anticipation of, or in the aftermath of a significant cyber event,” Rogers told a crowd at the Aspen Institute’s 2015 Aspen Security Forum Thursday night.
“Not yet, but it’s the ‘when’, not the ‘if’, to me.”
In regard to the most recent cyberattack to dominate headlines — that against the U.S. Office of Personnel Management, which compromised the personal data and security background check information of 22.1 million past, current and potential federal employees and contractors — Rogers fielded a number of questions on why the administration elected not to officially name China as the chief suspect in the intrusion, as the U.S. did North Korea in the attack against Sony late last year.
“The conclusion that we’ve come to is every situation is unique,” Rogers said. “We need to do it on a case-by-case basis, and we need to work our way through, what are the implications if you do or you don’t, so to speak, publicly attribute as we did in the Sony case, when we came to the conclusion we felt we needed to acknowledge, attribute, and talk about consequences — and do it publicly.”
Rogers neglected to get into details about any potential reaction to the OPM hack, citing it is an “ongoing issue,” but added just because there’s been no public response reported by the media does not mean a response isn’t being formulated or deployed.
“The threat response to OPM,” Rogers continued, “There’s a thought process there, but I’m the first to acknowledge, we have to date, taken a different response to OPM.”
Rogers added one of his major concerns with regard to future attacks is the possibility of terrorist groups like al-Qaida and the Islamic State turning to cyber as a platform for future attacks — a concern shared by FBI Director James Comey.
Comey told conference attendees Wednesday he believes Islamic State recruiters inspiring and directing Americans to carry out violent attacks now pose a greater threat to U.S. national security than external attacks by al-Qaida.
“I worry very much about what I can’t see,” Comey said of terrorist organizations’ expanding use of encryption technology to communicate with potential recruits, thereby avoiding eavesdropping by U.S. authorities.
The issue of criminals and terrorists using encryption has been a major focus of the FBI since last fall, when Apple and Google announced encryption as a default standard for customers’ communications and data. Comey has spent the months since pushing Congress to step in and facilitate a way for law enforcement to access commercial encryption products, which companies and cryptologists argue will inherently weaken such products.
Rogers, a career cryptologist in the Navy, previously sided with Comey in the public debate, and suggested using a “split key” format to divide up a master key for unlocking encrypted communications across companies and government agencies — a solution the federal government proposed in the ’90s, but failed to gain traction.
“Commercial encryption right now represents a significant technical challenge. That was highlighted in the media leaks, we’ve watched terrorist groups around the world really focus on that,” Rogers told the forum.
The Islamic State regularly engages in broad social media campaigns to recruit followers and supporters on platforms like Twitter. After identifying a potential target of value, Rogers explained, recruiters will direct the individual to switch over to an encrypted communication platform.
“We’re watching that play out all over the world now. For me, it’s a foreign security and national security challenge. For Director Comey, he’s seeing the same trends in the United States,” Rogers said. “But now you’re seeing the same trends where it comes to day-to-day activity in law enforcement in terms of crime.”
“Given the change in technology, how do we address the need to ensure that people can’t use this technology to attempt to violate the law, or do harm to others — whether it’s our nation or other nations.”