NSA Chief: Military Not Organized for Cyber Warfare
The U.S. military's hidebound culture and outdated procurement system are slowing down efforts to improve cyber defenses against increasingly sophisticated network attacks, said Navy Adm. Michael S. Rogers, director of the National Security Agency and head of U.S. Cyber Command.
The Pentagon created the cyber command four years ago to prepare to wage war against hackers and foreign spies. It has a $500 million annual budget and a sprawling campus on Fort Meade, Maryland. Its ability to protect Defense Department networks is limited, however, by the military's disjointed organization and outdated attitudes about information technology, Rogers said June 12.
"Our greater challenge is not technology but organization," he told a conference of the Association of the U.S. Army, in Arlington, Virginia.
The Pentagon by some estimates operates 15,000 networks across the Defense Department and the military services. Each branch of the military buys and manages its own systems. Of most concern to Rogers is that cyber security tends to be put on the back burner.
"Military commanders must 'own' cyber," said Rogers. "Networks and cyber [should be] the commanders' business."
In his previous job as head of the Navy's cyber fleet, Rogers was frustrated by a culture where information networks are relegated to the technical support staff, rather than viewed as a command priority. As cyber attacks become more pervasive and intractable, "our ability to integrate cyber into a broader operational concept is going to be key," he said. Now, "we treat cyber as something so specialized, so different, so unique, that resides outside the operational framework."
Commanders operate under the "flawed" notion that they can turn over network responsibilities to the unit's information technology experts, said Rogers. "Commanders have to own this mission and integrate it into operations." Senior officers ought to be as knowledgeable about a unit's network capabilities and potential vulnerabilities as they would be about its fuel and ammunition supplies, he added. "The challenge to that is as much cultural as it is technical."
The military, indeed, needs advanced technologies to build stronger cyber defenses, said Rogers. But a disjointed procurement system makes that difficult. The Defense Department today, he said, cannot "synchronize our capabilities as a team."
The Pentagon must build a "joint network backbone," he said. "I never understood why the services each spend money creating, maintaining, building and operating a global communications backbone. We do it independently. It makes no sense to me. It is inefficient. It does not lead to an integrated approach to problem solving," he added. "We need a joint framework." Each service could still address its own needs for the "last tactical mile."
The Defense Department last year launched a network integration effort, called "joint information environment," to help protect systems from cyber attacks. Rogers does not see any easy fixes to this problem other than a "fundamental change in how we do acquisitions." Networks are not viewed as "war fighting platforms," he said. "We generally turn to our CIO and tell them to go build a network. ... We don't entwine acquisition and operations."
Rogers also called on the military services to beef up their in-house talent. "We need to create a workforce that understands the vision, has the tools and capabilities to execute the vision," he said.
"We, the Defense Department, are not on the cutting edge when it comes to networks, and information technology. ... We need to build a trained and ready operational cyber force."
Cyber Command wants to "partner" with the services because it cannot do its job without their cooperation, he said. "It makes no sense to develop some joint vision and jam it down the throats of our services. I tell the services that we are doing this as one team."
Future networks, said Rogers, not only must be joint, but also "defensible ... with an architecture in which defensibility, resiliency and redundancy are core design characteristics. ... I can't say that about current networks."
For Cyber Command, it can be daunting to have to defend networks that it cannot "see," said Rogers. "We have got to create shared situational awareness. It is awfully hard to operate — whether on the offensive or defensive side — in an environment where you cannot see the environment where you operate." Military commanders have "tactical operations centers" where they can follow events in real time. "We don't have that in the cyber world. We have to create that. It's hard to be agile when you can't visualize what you're doing."
Rogers' criticism of military culture echoes the argument made by his predecessor, now retired Army Gen. Keith Alexander. In one of his first public speeches as incoming Cyber Command chief in June 2010, Alexander complained that the command lacked visibility into the Defense Department's networks, which limited its capacity to prevent attacks. He said Cyber Command only becomes aware of intrusions after they happen, and then reacts to the events, because it has little “situational awareness." He suggested the command could not do its job without a "common operating picture." In maneuver warfare, military commanders on the battlefield need situational awareness so they can pinpoint the location of the enemy and try to anticipate what it might do. In cyberspace, the military has no such capability.
Rogers said Cyber Command is preparing for cyber warfare as it also deals with thorny policy issues. His dual-hat role as chief of the NSA and Cyber Command puts Rogers at the center of a growing firestorm over domestic spying and privacy rights. "We need to be mindful of policy and administrative changes to apply these capabilities," he said. "What legal frameworks do we need to execute this mission? Technology has moved much faster than our policy."