The Navy officer tapped to be the next director of the National Security Agency said at his confirmation hearing on Tuesday that the United States is “not [prepared] to the extent we need to be” to deter future cyber attacks.
Vice Adm. Michael Rogers, now head of the Navy’s Fleet Cyber Command, told the Senate Armed Services Committee that the sources of cyber threats range from governments to hacktivists determined to “steal, manipulate and destroy” vital networks in and out of government using “techniques that are constantly changing.”
“We should never forget that there is a threat out there that wants to do us harm,” he said.
At the hearing, he also stressed several times in his testimony, and in answer to a number of questions, that it was important “to be as transparent as possible” in explaining what and why the NSA does what it does. Rogers said Congress and the public needed to know “what is the value of our efforts” in collecting data on telephone calls or Internet usage.
Rogers said he wanted Congress and the public to “have a level of comfort” that NSA is protecting American citizens’ privacy in its collection of data, and that he was prepared to speak publicly on how it is doing that.
President Barack Obama has set a March 28 deadline for a report that could lead to storing this data collection with a third party—not the NSA or the service providers—and other possible reforms in intelligence gathering. Rogers said that storing data with a third party would be acceptable because the data would be available “in a timely way” to national security inquiries. “I’m confident of our ability” to quickly access such information.
Committee members said that for now they would continue having the NSA director and Cyber Command commander dual-hatted. Rogers called the two missions “so intertwined and related” that the arrangement made sense. He said that a select committee on cyber could be a way to cut through overlapping committee jurisdictions, such as Armed Services and Intelligence, in that area.
Rogers described what has been identified as Iranian intrusions into the Navy’s largest unclassified network this fall as “a significant penetration” that took several months to end. In addition to identifying and neutralizing the intrusion, he said, his command reviewed ways to better deter and protect its systems in the future.
He said that legislation encouraging the sharing of information with some liability protections between private and public entities should be passed—“the soon the better”—because it was “only a matter of time” before the nation sees more destructive cyber activity aimed at financial institutions, infrastructure, food supply, and so on. “We’ve got to change the dynamic” of keeping this information closely held.
Rogers said former NSA contractor Edward Snowden’s revelations of United States security activities created a “significant risk” with “damage and consequences” that are still being investigated.
As to the role of contractors in the future, Rogers said that government needed to determine what its core competencies are and only then, while also measuring in cost to keep an activity inside the public sector, decide to hire workers from the outside. He said his experience in recruiting and retaining Navy uniformed personnel in cyber had been successful, but called for a congressional look at how to provide incentives for civilians to enter and stay in government service in cyber.
Rogers said that NSA and Cyber Command are “doing the mission analysis now” on “how do you build an integrated team” in cyber using the reserve components, a requirement of last year’s defense authorization act.