Cybercom Chief Details U.S. Cyber Threats, Trends
By Cheryl Pellerin
DoD News, Defense Media Activity
WASHINGTON, Nov. 21, 2014 -
Cyber threats are real, hurting the nation and its allies and partners,
costing hundreds of billions, and potentially leading to a catastrophic
failure if not addressed, Navy Adm. Michael S. Rogers told a House panel
sailors assigned to Navy Cyber Defense Operations Command take their
stations at Joint Expeditionary Base Little Creek-Fort Story, Va., Aug.
4, 2010. NCDOC sailors monitor, analyze, detect and respond to
unauthorized activity within U.S. Navy information systems and computer
networks. The Navy and the other service branches are contributing
service members to the U.S. Cyber Command workforce. U.S. Navy photo by
Petty Officer 2nd Class Joshua J. Wahl
(Click photo for screen-resolution image);high-resolution image available.
Rogers, the commander of U.S. Cyber Command, director of the National
Security Agency and chief of the Central Security Service, testified
before members of the House Permanent Select Committee on Intelligence
on advanced cybersecurity threats facing the United States.
Cyber Challenges 'Not Theoretical'
"There should be [no] doubt in anybody's mind that the cyber
challenges we're talking about are not theoretical. This is something
real that is impacting our nation and those of our allies and friends
every day," Rogers said.
Such incidents are costing hundreds of billions of dollars,
leading to a reduced sense of security and potentially to "some truly
significant, almost catastrophic failures if we don't take action," the
In recent weeks, cyber-related incidents have struck the White
House, the State Department, the U.S. Postal Service and the National
Oceanic and Atmospheric Administration.
The Defense Department, the U.S. Sentencing Commission and the U.S. Treasury also have had cyber intrusions.
Sophisticated malware has been found on industrial control
systems used to operate U.S. critical infrastructure, and other major
intrusions have been reported by J.P. Morgan Chase, Target, Neiman
Marcus, Michaels, Yahoo! Mail, AT&T, Google, Apple and many more
Intrusions Seek to Acquire Capability
"We have ... observed intrusions into industrial control
systems," Rogers said. "What concerns us is that ... capability can be
used by nation-states, groups or individuals to take down" the
capability of the control systems.
And "we clearly are seeing instances where nation-states, groups
and individuals are aggressively looking to acquire that capability," he
Rogers said his team thinks they're seeing reconnaissance by many
actors to ensure they understand U.S. systems in advance of exploiting
vulnerabilities in the control systems.
"We see them attempting to steal information on how our systems
are configured, the specific schematics of most of our control systems
down to the engineering level of detail so they [see] ... the
vulnerabilities, how they are constructed [and] how [to] get in and
defeat them," the admiral said.
"Those control systems are fundamental to how we work most of our
infrastructure across this nation," Rogers added, "and it's not just
the United States -- it's on a global basis."
Growth Areas of Vulnerability
When he's asked about coming trends, Rogers said, industry
control systems and supervisory control and data acquisition systems,
called SCADA systems, come to mind as "big growth areas of vulnerability
and action that we're going to see in the coming 12 months."
"It's among the things that concern me the most," he added,
"because this will be truly destructive if someone decides that's what
they want to do."
What it means, he said, is that malware is on some of those
systems and attackers may already have the capability to flip a switch
and disrupt the activity the switch controls.
"Once you're into the system ... it enables you to do things
like, if I want to tell power turbines to go offline and stop generating
power, you can do that," he explained. "If I want to segment the
transmission system so you couldn't distribute the power coming out of
power stations, this would enable you to do that."
Criminals as Surrogates for Nation-states
The next trend Rogers sees near-term is for some criminal actors
now stealing information designed to generate revenue to begin acting as
surrogates for other groups or nations.
"I'm watching nation-states attempt to obscure, if you will,
their fingerprints," he said. "And one way to do that is to use
surrogate groups to attempt to execute these things for you."
That's one reason criminal actors are starting to use tools that only nation-states historically have used, the admiral said.
"Now you're starting to see criminal gangs in some instances
using those tools," he added, "which suggests to us that increasingly in
some scenarios we're going to see more linkages between the
nation-state and some of these groups. That's a troubling development
Such activities across the cyberscape, he said, make it difficult
for private-sector companies to try to defend themselves against
rapidly changing threats.
A Legal Framework for Cyber Sharing
But before Cybercom can help commercial companies deal with cyber
criminals and adversarial nation-states, Rogers said the command needs a
legal framework "that enables us to rapidly share information,
machine-to-machine and at machine speed, between the private sector and
The framework, he added, must be fashioned in a way that provides
liability protection for the corporate sector and addresses valid
concerns about privacy and civil liberties.
Such legislation has passed in the House but not in the Senate,
and the Senate has created its own similar legislation that has not yet
passed the full Senate.
Rogers says there are several ways Cybercom can share what it
knows about malicious source code with the private sector so companies
can protect their own networks, and assure Americans that NSA isn't
collecting or using their personal information while sharing information
with private companies.
What the Private Sector Needs
With private-sector companies, Cybercom and NSA must publicly
"sit down and define just what elements of information we want to pass
to each other," he said, specifying what the private sector needs and
what the government needs, and also areas that neither wants to talk
"I'm not in that private-sector network, therefore I am counting on the private sector to share with us," the admiral said.
What he thinks the government owes the private sector is this --
Here are the specifics of the threats we think are coming at you. Here's
what it's going to look like. Here's the precursor kinds of activities
we think you're going to see before the actual attack. Here's the
composition of the malware we think you're going to see. Here's how we
think you can defeat it.
What Rogers says he's interested in learning from the private
sector is this -- Tell me what you actually saw. Was the malware you
detected written along the lines that we anticipated? Was it different
and how was it different? When you responded to this, what worked for
you and what didn't? How did you configure your networks? What was
effective? What can we share with others so the insights of one come to
the aid of many?
"That's the kind of back-and-forth we need with each other,"
Rogers said, and legislation is the only thing that will make it happen.
Helping Defend Critical Infrastructure
Rogers says he tells his organization that he fully expects
during his time as Cybercom commander to be tasked to help defend
critical infrastructure in the United States because it is under attack
by some foreign nation or some individual or group.
"I say that because we see multiple nation-states and in some
cases individuals in groups that have the capability to engage in this
behavior," the admiral said, adding that the United States has seen this
destructive behavior acted on and observed physical destruction within
the corporate sector, although largely outside the nation's borders.
"We have seen individuals, groups inside critical U.S.
infrastructure. That suggests to us that this vulnerability is an area
others want to exploit," the admiral said. "All of that leads me to
believe it is only a matter of time when, not if, we are going to see
Rogers says he's "pretty comfortable" that there is broad
agreement and good delineation within the federal government as to who
has what responsibilities if Cybercom is called on during a major
cyberattack in the United States.
"The challenge to me is
we've got to ... get down to the execution level of detail," he said. "I
come from a military culture [which] teaches us to take those broad
concepts and agreements and then you train and you exercise. And you do
it over and over. That's what we've got to do next."
(Follow Cheryl Pellerin on Twitter: @PellerinDoDNews)