Cybercom Chief: Cyber Threats Blur Roles, Relationships
By Cheryl Pellerin
DoD News, Defense Media Activity
WASHINGTON, March 6, 2015 -
Over five years of U.S. Cyber Command operations, global movement of
threat activity through cyberspace has blurred roles and relationships
among government agencies, as well as between the public and private
sectors and the real and virtual worlds, the Cybercom commander told a
Adm. Michael S. Rogers, commander of U.S. Cyber Command and director of
the National Security Agency, testifies before the House Armed Services
Committee improving the military cyber security posture in an uncertain
threat environment, March 4, 2015. DoD photo by Cheryl Pellerin
(Click photo for screen-resolution image);high-resolution image available.
Navy Adm. Michael S. Rogers testified March 4 before the House Armed
Services Committee on cyber operations and improving the military's
"There is no Department of Defense solution to our cybersecurity
dilemmas," Roger said in written testimony. "The global movement of
threat activity in and through cyberspace blurs the U.S. government's
traditional understanding of how to address domestic and foreign
military, criminal and intelligence activities."
Similarly, he said, the public and private sectors need each other's help.
Responding to Cyber Attacks
"The U.S. government, the states and the private sector can't defend
their information systems on their own against the most powerful cyber
forces," the admiral said.
"We saw in the recent hack of Sony Pictures Entertainment that we
have to be prepared to respond to cyber attacks with concerted actions
across the whole of government," he added, "using our nation's unique
insights and complete range of capabilities in cooperation with the
Cyberspace is more than a challenging environment, Rogers said.
"It is now part of virtually everything we in the U.S. military do in
all domains of the battle space and each of our lines of effort," he
said. "There is hardly any meaningful distinction to be made now between
events in cyberspace and events in the physical world, as they are so
Cybercom is growing and operating at the same time, he said, performing many tasks across a diverse and complex mission set.
Guarding DoD Networks
Three years ago, the command lacked capacity, Rogers said. Today, new
teams are guarding DoD networks and are prepared to help combatant
commands deny freedom of maneuver to adversaries in cyberspace, he
Cybercom's Cyber Mission Force, or CMF, was formed to turn strategy and plans into operational outcomes, the admiral said.
"With continued support from Congress, the administration and the
department," Rogers said, "Cybercom and its service cyber components are
now about halfway through the force build for the CMF, [and] many of
its teams are generating capability today."
He added, "We have a target of about 6,200 personnel in 133 teams,
with the majority achieving at least initial operational capability by
the end of fiscal year 2016."
Cybercom has been normalizing its operations in cyberspace, he said,
to provide an operational outlook and attitude to running the
department's 7 million networked devices and 15,000 network enclaves.
Implementing the Joint Information Environment
The department's legacy architecture, created during times when
security was not a core design element, is being transitioned to a more
secure and streamlined architecture that is part of what ultimately will
be the Joint Information Environment, or JIE.
"While the JIE is being implemented," Rogers said, "our concerns
about our legacy architecture collectively have spurred the formation of
our new Joint Force Headquarters to defend the department's information
The Joint Force Headquarters recently achieved initial operational
capability, the admiral added, working at the Defense Information
Systems Agency under Rogers' operational control at Cybercom. Its
mission is to oversee the day-to-day operation of DoD networks, he
added, "and mount an active defense of them, securing their key cyber
terrain and being prepared to neutralize any adversary who manages to
bypass their perimeter defenses."
"It gets us closer to being able to manage risk on a systemwide basis
across DoD," Rogers added, "balancing warfighter needs for access to
data and capabilities while maintaining the overall security of the
The admiral said the new headquarters is a stopgap measure while the
department migrates its systems to a cloud architecture that's more
secure and facilitates data sharing across the enterprise.
As network security has advanced, so has the maturity of the cyber
force, which has gained what Rogers called priceless experience in
"That experience has given us something even more valuable -- insight
into how force is and can be employed in cyberspace. We have had the
equivalent of a close-in fight with an adversary that taught us how to
maneuver and gain the initiative that means the difference between
victory and defeat," he explained.
Every Conflict Has a Cyber Dimension
Such insight is increasingly urgent, because every conflict in the
world has a cyber dimension, the admiral said, adding that the command
sees patterns in cyber hostilities that indicate four main trends:
-- Autocratic governments that view the open Internet as a lethal threat to their regimes;
-- Ongoing campaigns to steal intellectual property;
-- Disruptions by a range of actors that range from denial-of-service
attacks and network traffic manipulation to the use of destructive
-- States that develop capabilities and attain system access for
potential hostilities, perhaps with the idea of enhancing deterrence or
as a beachhead for future cyber sabotage.
"We believe potential adversaries might be leaving cyber fingerprints
on our critical infrastructure, partly to convey a message that our
homeland is at risk if tensions ever escalate toward military conflict,"
Heartbleed and Shellshock
For instance, he told the House panel, "I can tell you in some detail
how Cybercom and our military partners dealt with the Heartbleed and
Shellshock vulnerabilities that emerged last year."
The Heartbleed Bug is a serious vulnerability that allows attackers
to steal information, usually encrypted, that's used to secure the
Internet for applications such as Web, e-mail and instant messaging,
among others. Attackers can eavesdrop on communications, steal data
directly from the services and users, and impersonate services and
Shellshock is a vulnerability that gives attackers the ability to run remote commands on a system.
The admiral said these serious flaws inadvertently were left in the
software that millions of computers and networks in many nations depend
Responsible developers discovered both security holes, Rogers said.
They kept their findings quiet and worked with trusted colleagues to
develop software patches that system administrators could use to get a
jump on those who read the same vulnerability announcements and devised
ways to identify and exploit unpatched computers, he said.
Checking for Vulnerabilities
"We at Cybercom and [the National Security Agency] learned of
Heartbleed and Shellshock at the same time that everyone else did," the
Military networks are probed for vulnerabilities thousands of times
an hour, he added, so it wasn't long before they detected new probes
checking their websites and systems for vulnerabilities.
"By this point, our mission partners had devised ways to filter such
probes before they touched our systems," Rogers explained. "We were
sheltered while we pushed out patches across DoD networks and monitored
implementation," directing administrators to start with the most
"Thanks to the efforts we have made in recent years, our responses
... were comparatively quick, thorough and effective, and in both cases
they helped inform corresponding efforts on the civilian side of the
federal government," the admiral added.
"We also know that other
countries, including potential adversaries, struggled to cope with the
Heartbleed and Shellshock vulnerabilities," he noted.
Cyber Military Capabilities
Rogers said this operational approach must be built in many more places.
"The nation's government and
critical infrastructure networks are at risk as well," he said, "and we
are finding that computer security is really an enterprisewide project."
The admiral added, "We in the
U.S. government and DoD must continue learning and developing new skills
and techniques ... [and] the nation must continue to commit time,
effort and resources to building cyber military capabilities."
(Follow Cheryl Pellerin on Twitter @PellerinDoDNews)