Working with the private sector is the “next big area we need to get into,” the head of U.S. Cyber Command Adm. Michael Rogers told the House Armed Services Emerging Threat and Capabilities Subcommittee on Wednesday.
He said he was generally comfortable with the authorities he has in meeting the command’s other mission sets — defending Defense Department networks and supporting combatant commanders.
But in answering a question Rogers told the panel that the law covering the Pentagon’s support to civil authorities “does not explicitly address cyber.” In review where the command can help it was important not to look at “re-inventing” the framework of that support. “We have to dig in a little bit deeper” to better understand what might be needed.
In his opening statement, Rogers said nation states — Russia, China, North Korea and Iran — pose “the gravest threats” in cyber. He added the Islamic State in Iraq and Syria (ISIS) has shown its strength in the cyber arena in its recruiting efforts and propagandizing.
“What concerns me is capacity,” to counter attacks at the high-end coming simultaneously. He told the subcommittee that nation states have increasingly partnered with other actors — including criminal groups — to obscure what they are doing in cyber probes and intrusions, he said.
Inside the Department of Defense, the vulnerability of decades of earlier investments in platforms and systems to attack remains high because they were built when cyber defense was not a major concern in the industrial base, he said.
This attitude has changed inside and outside the Pentagon. Rogers, in answering a question about the Internet of Things, said, “Almost everything we are buying and using” from refrigerators to cars are or can be connected with each other. That connectivity allowing actions to be taken remotely to say upgrade an appliance or app also presents new vulnerabilities to outside intrusion.
Outside of the department, Rogers predicted increased “ransomware” intrusions as occurred recently with a California hospital’s patients’ records being blocked for use until the intruders were paid in bitcoin to free them. Ransomware attacks were also reported against advertising on digital properties owned by The New York Times, BBC, AOL and the NFL this past weekend.
He also expected more attacks aimed at large databases as was done against health insurer Anthem and the U.S. Office of Personnel Management.
Rogers said the command’s annual Cyber Guard exercise, held in June, draws together the Pentagon, 100 private businesses and local and state governments to address a specific scenario such as the protection of the power grid and this cross-fertilization of ideas is helpful to all.
For the command itself, “we need a persistent training environment” as it becomes more operational.
In addition, Cyber Command is reaching out to technology businesses and universities, not only in California’s Silicon Valley and around Seattle in Washington, but Boston to become incubators in identifying best practices and possible areas of collaboration and cooperation.
He said he hoped that sometime soon the “the DoD workforce will be able to spend some time in the private sector and come back to us” and vice versa.
The “single greatest limiting factor” in increasing the command’s capacity is the throughput in the training pipeline, most noticeably in the Air Force. Rogers said that it was important to have training “standardized across the force” but there were options out there within those standards to work with academia, the private sector and the reserve components to build up the cyber force.
He told the subcommittee that 500 service members have been given equivalency credit for their civilian experience rather than taking redundant military courses.