The director of the National Security Agency told the Atlantic Council last week arguing over encryption seems like “a waste of time to me” and doesn’t resolve the ongoing divide between privacy and security.
Encryption is “foundational to our future… Given that foundation, what is the best way for us to deal with it? And how do me meet those very legitimate concerns,” Adm. Michael Rogers — who also heads U.S. Cyber Command — said at the Washington, D.C. think tank.
“There are people out there who exploit that vulnerability… some with good reason, some without.”
The FBI is one agency, among other, advocating severe limits on encryption that would block law enforcement from investigation potential terrorist threats. Several states are considering legislation to limit encryption on smart-phones.
“Big data analytics are now available at such a level that suddenly now data becomes attractive to a whole larger group of actors out there. So what you saw at OPM [likely Chinese accessing records of millions of current and former federal employees in April], my comment would be you’re going to see a whole lot more,” he said.
Rogers said that this debate is taking place when the government is less trusted, particularly over protecting citizens’ privacy. “We’ve got to meet these two concerns. …That is not an insignificant challenge for us.”
Addressing NSA’s altered role in data collection, he said, “The law changed; we comply with the law” over what data can be collected and stored. Rogers said that standard applies from the lowest ranking agency employee to the top. “We’re accountable to the citizens we serve” and that includes admitting mistakes.
Twice, Rogers said in answer to a question, “We obey the rule of law.”
In addition to working more closely with other governmental agencies and private industry in the United States, he said the command is building partnerships with allies in a number of areas. The revelation that NSA had records of telephone conversations of foreign heads of government has complicated building these new relationships.
Rogers said the government and the tech sector even today do not often talk about partnerships because of the different cultures they bring to their missions and businesses. In answer to a question, he added, government has “got to make it easier for private sector to deal” with the various federal agencies dealing with cyber as a means of building partnerships.
But one area where there appears to be agreement and the willingness to partner is over combating recruiting young people into terrorist organizations, such as the Islamic State in Iraq and Syria (ISIS or ISIL), by sophisticated uses of social media.
“We have decided … as a society that the exploitation of youths [in the cyber domain] is unacceptable.’ The question becomes: “Is there a social pact that we can come up with that says, ‘hey, look this is unacceptable to us.”‘
Rogers said that “troublesome development” has to be addressed beyond “a U.S. only approach.”
“This is a challenge that will require us to work together in collaborative ways.”
As he said often in his presentation, practicing “cyber hygiene,” such as not opening an attachment from an unknown sender, can take “away 80 percent of the challenges” in defending networks, systems and platforms — not just in the Defense Department, the federal government but private sector. As with a rifle, “you make sure it is used responsibly” and you “do exactly the same thing in cyber.”
Rogers said he did not look at the challenges NSA and the command face as solely preventing “a digital Pearl Harbor,” but one that also keeps a focus on the danger. “We are becoming increasingly vulnerable” to attacks like the one on Sony Entertainment and the Office of Personnel Management.
While these attacks have been “an inconvenience to date,” he added, “It’s going to get worse before it gets better” because they can be attacked by nation states sometimes working together with outside hackers that mask who launched the strike or individual actors.
“Actors change; we have to change” with them.
Rogers said other governmental agencies and businesses need to consider authorizing an individual “to take that system down” if the intent of the hack rises to the level of a serious attack. He has that authority in the Defense Department.
Rogers point to the sophisticated systems and software in today’s automobiles as example of how vulnerabilities are increasing. “Many of these software programs are communicating with the outside world.”
On the personnel side, he said the retention rates is 96.3 percent in the overall workforce and about 90 percent in science, technology, engineering and mathematics field. He also said in NSA and the five-year-old command the idea is build teams mixing veteran employees with newcomers.
That high retention rate is something of a mixed blessing. It would take 30 years to recapitalize the work force, Rogers said. He called for agreements with the private sector sending some of their employees to the government for a specified time and the government likewise sending employees to the private sector to broaden their horizons.