NSA director wants to make it easier to use offensive cyber techniques
The head of the National Security Agency and U.S. Cyber Command wants to see if in five to 10 years, offensive cyber operations can be fully integrated into the military’s “operational tactical level.”
Offensive cyber-operations — like taking down infrastructure or hacking an enemy’s computers to spy — are tightly controlled and treated from an approval perspective “like nuclear weapons,” said Adm. Mike Rogers said during a conversation Thursday with retired Adm. James Stavridis at the at the AFCEA-USNI WEST 2017 conference in San Diego.
Rogers wants to see that change, and his comments come as Defense Secretary James Mattis has asked for more information on ways to “optimize” cyber operations. Mattis recently issued two memos looking at structural reforms to the department, one of which directs the development of a plan “for more optimized organizational structure and processes to support information management and cyber operations.”
A provision of the National Defense Authorization Act for 2017 calls for elevating U.S. Cyber Command to a unified combatant command, and Mattis’ plan asks for an analysis of that idea.
When it comes to elevating Cyber Command, Rogers said on Thursday, “I think the potential for that happening in the near term is high, even as I acknowledge, hey it’s not my decision, there are other perspectives.”
But Rogers also went into other specifics around how to enhance military cyber capabilities by integrating both offensive and defensive versions down to the “operational tactical level,” and viewing them “as another toolkit that’s available to a commander.”
Offensive and defensive cyber operations are treated differently right now in the space, Rogers noted, adding that “offensive cyber, in some ways, is almost treated like nuclear weapons in the sense that their application outside of defined areas of hostility is controlled at the chief executive level and is not delegated down.”
But the cyber force will have to make policy and decision makers comfortable enough to feel confident delegating the task to the tactical level, Rogers noted.
Stavridis suggested that the evolution of special forces was similar to that of cyber operations, in that at first their use was tightly controlled, and over time they became a part of everyday operations.
Rogers agreed, adding: “I would create Cyber Command much in the image of SOCOM [Special Operations Command], give it that broad set of responsibilities where it not only is taking forces fielded by the services and employing them, it’s articulating the requirement and the vision, and you’re giving it the resources to both create the capacity, and then employ it.”
He said Cyber Command should eventually be striving toward something similar to the SOCOM model of providing theater special operations commands.
“The reason why I have argued up to date that’s probably not an optimal investment of finite capacity is: Look, until we can get approval to delegate much of this down to that level, it doesn’t make any sense to me,” he said. “Why would you create a [command-and-control] construct, tie up scarce manpower, if it’s not going to actually be able to conduct the full range of operations? That’s what I’m hoping in five to 10 years we can get to.”
Asked what is holding back delegation of offensive cyber, Rogers said it was not classification issues, but “can you get the authority, can you get the rules of engagement right that would allow you to actually employ it?”
“My comment would be: Look the same thing happens in the kinetic world. In the world we’re living in now the tactical application of kinetic force often has strong strategic implications well beyond the immediate physical environment or the application of that force,” he said. “Cyber has many of those same characteristics.”