Right: Navy Adm. Michael S. Rogers, commander of U.S. Cyber Command and director of the National Security Agency, spoke to cadets, staff and faculty during a Leader Professional Development Session at the U.S. Military Academy at West Point, N.Y., Jan. 9, 2015. U.S. Army photo by Sgt. 1st Class Jeremy Bunkley.
By Cheryl Pellerin
DoD News, Defense Media Activity
WASHINGTON, March 2, 2015 – Navy Adm. Michael S. Rogers, commander of U.S. Cyber Command, took questions here recently on many topics -- cyber defense and offense, finding the Islamic State of Iraq and the Levant on the dark Web and cyber deterrence -- during a New America Foundation cybersecurity conference.
Rogers, who’s also director of the National Security Agency, spoke with CNN national security correspondent Jim Sciutto and took questions from the audience and from Twitter and other social media outlets.
Rogers often says, as he did at this conference, that he believes in appearing publicly and putting no restrictions on questions asked of him.
“You can ask me anything,” he said, “because we have got to be willing as a nation to have a dialogue” on cyber issues.
Cyberspace as a Domain of War
On a question about whether the United States is positioned effectively to address cyberspace as a domain of warfare, Rogers said the nation is in a better position in many ways than most of its counterparts around the world.
“We've put a lot of thought into this as a department,” he added. “U.S. Cyber Command, for example, will celebrate our fifth anniversary this year. This is a topic the department has been thinking about for some time.”
But the admiral said he doesn’t think Cybercom is where it should be yet in preparation for fully engaging in cyberspace.
“Part of that is just my culture,” he explained. “My culture as a military guy always is about striving for the best, striving to achieve objectives. You push yourself.”
Defending the Networks
From a defensive standpoint it’s difficult to defend a network infrastructure that has been built over decades, Rogers said, noting that most of it was created at a time when there was no critical cyberthreat.
“We're trying to defend infrastructure in which redundancy, resiliency and defensibility were never design characteristics,” he said. “It was all about ‘build me a network that connects me in the most efficient and effective way with a host of people and lets me do my job.’” Rogers noted that concerns about an adversary’s ability to penetrate the network and manipulate or steal data was not a primary factor at the time.
The department is working to change its network structure to incorporate core security characteristics, the admiral said.
On the offensive side, Cybercom is “working its way,” Rogers said, and doing this within a broader structure that dovetails with the law of armed conflict.
Cyber as an Offensive Tool
“Remember,” he said, “when you look at the application of cyber as an offensive tool, it must fit within a broader legal framework -- the law of armed conflict, international law, the norms we have come to take for granted in some ways in the application of kinetic force.”
Cybercom must do the same thing in the offensive world, the admiral said, “and we're clearly not there yet.”
Like many nations around the world, the United States has capabilities in cyber.
“The key for us is to ensure that such capabilities are employed in a very lawful, very formulated, very regimented manner,” Rogers said.
Legal Framework for Cyberspace
In January 2014, in Presidential Policy Directive 28, Rogers said President Barack Obama laid out the framework he wanted used in the conduct of signals intelligence.
Today, the admiral said, “all that remains applicable.”
Another question from the audience referenced ISIL’s use of the dark Web to raise money through Bitcoin, a form of digital currency.
The questioner described the dark Web as “a bunch of anonymous computers -- a bunch of anonymous users -- that are still able to find each other” using a browser that protects users’ anonymity, no matter what a user is doing there.
Nature of the Business
On collecting intelligence from the dark Web, Rogers said, “We spend a lot of time looking for people who don't want to be found.”
In some ways, he added, that is the nature of the business, particularly involving terrorists or individuals engaged in espionage against the United States or against its allies and friends.
Such activities, the admiral said, are a national concern.
“ISIL's ability to generate resources, to generate funding, is something that we're paying attention to,” Rogers said.
Focusing on ISIL
“It's something of concern to us,” he noted, “because it talks about ISIL’s ability to sustain themselves over time [and] about their ability to empower the activity we're watching on the ground in Iraq, in Syria, in Libya [and] in other places.”
Such activities also are of concern to a host of nations, the admiral said, adding, “I won't get into the specifics of exactly what we're doing, other than to say this is an area that we are focusing attention on.”
When asked about deterring America’s adversaries from carrying out cyberattacks, Rogers said the concept of deterrence in the cyber domain is relatively immature.
“This is still the early stages of cyber in many ways,” he said, “so we're going to have to work our way through this” by developing and accepting norms of behavior in cyberspace that will underlie and support the notion of deterrence.