“Life cycle of a successful spearphishing operation” (Department of Homeland Security graphic)
WASHINGTON: Under relentless grilling from Democratic senators, the four-star officer who heads both Cyber Command and the NSA said the US government is “not doing enough” to prevent Russia from meddling in the 2018 elections.
Could the US keep the Russians from interfering again? asked Sen. Claire McCaskill. “Yes,” Adm. Michael Rogers said at once.
NSA Director, Cyber Commander, Admiral Mike Rogers
But, she pressed, are we actually doing so? “We’re taking steps, but we’re probably not doing enough,” he said.
Why not? “I’m an operational commander, ma’am,” he said. “You’re asking a question that’s much bigger than me.”
That said, Rogers wasn’t shy about saying the Russian threat was real. “They are attempting to undermine our institutions,” he said.
“President Putin has clearly come to the conclusion there’s little price to pay here and therefore (he) can continue this activity,” Rogers said. The US can respond with diplomacy and sanctions as well as cyber operations, he said, but all things considered, “clearly what’s been done hasn’t been enough.”
This morning’s hearing before the Senate Armed Services Committee was a delicate dance and, clearly, often a frustrating one for all participants: Several Democrats raised their voices and I heard Rogers sighing more than once. While acting chairman James Inhofe and other Republicans asked about cybersecurity in general, the Democrats kept hammering on Russian interference in the elections.
Rogers is about to retire, which gives him unusual freedom to speak out. Even so, he repeatedly stressed his limited role and authorities as defender of the Defense Department’s networks. The Office of the Secretary of Defense makes policy, the Department of Homeland Security and the states protect domestic and all critical networks, and the president makes the final call, Rogers kept emphasizing. You can respond to cyber attacks through diplomacy or sanctions, not just by retaliating in cyberspace, he said, and any cyber action must be part of some government-wide strategy.
Cyber Command can’t address all the senators’ concerns because it’s already stretched, Rogers said. “Just look at the things we’ve talked about in the last 40 minutes where you’ve said, ‘why doesn’t Cyber Command do this?’” he said halfway through hearing. “Be leery about viewing Cyber Command as the be-all end-all for everything.”
One of Rogers’ recent triumphs, in fact, is persuading Defense Secretary Jim Mattis to treat Cyber Command as a “high demand, low density” (HDLD) resource like special operators or intelligence, surveillance, and reconnaissance (ISR) assets, the admiral said. As a result, the Pentagon’s set up a process to prioritize, reassess, and reprioritize the allocation of CYBERCOM, with the commander gaining new authorities to retask assets to more urgent missions. “A year ago, that process didn’t exist,” Rogers said.
The all-service Cyber Mission Force will reach official Full Operational Capability later this year, with 6,200 personnel. But “that was a based on an assessment, boy, it’s almost 10 years ago now,” Rogers said. Once the force is fully stood up, “I’d like to retool this a little bit.” In the long run, he added, the force will need to grow.
It’s those Cyber Mission Force teams that could stop Russian attacks “where they originate,” if so authorized by the president, argued SASC’s ranking Democrat, Jack Reed. (Reed wasn’t explicit, but it seems he wants some kind of preemptive or retaliatory cyber strike against Russian hackers in Russia). Has Cyber Command been directed to do so?
“No, I have not,” Rogers said, “but… based on the authority that I have as a commander, I have directed the National Mission Force to begin some specific work — I’d rather not publicly go into that.”
Whatever that work is, it doesn’t sound like it’s directly connected to protecting state-level electoral systems. “I’m not an expert on the electoral system as a whole — I haven’t personally looked at it as a target,” Rogers emphasized. “I’m not talking to individual state officials.”
Is it true President Trump has not directed Cyber Command to take any action to protect the elections? asked Sen. Jeanne Shaheen.
“I’ve never been given any specific direction to take additional steps outside my (normal) authority. I have taken steps within my authority,” Rogers said. “I haven’t been granted any additional authorities, capacity, capability. No, that’s certainly true.”
Sen. Jack Reed visiting US-led training in Ukraine
“Nobody’s necessarily directly me asked me, I’ve certainly provided my opinion in ongoing discussions,” Rogers replied.
“Be mindful of just defaulting to the cyber piece here,” Rogers said. “I’d like us to think about this a little more broadly and I’d like to us to think about, how does this potential cyber piece that Cyber Command could do, how does it fit into something broader?”
But there’s been no formal request for cyber options: “I haven’t put anything in writing,” Rogers said.