Cyber Command’s influence may not be as expansive as some think, according to its commander, Adm. Michael Rogers.
“The Department of Defense is not resourced, nor is it tasked with defending every single computer structure in the U.S.,” he said, explaining that Cyber Command largely focuses on vulnerabilities that would have significant cyber consequence to the nation at large.
Rogers made the remarks in a hearing Tuesday before the Senate Armed Services Committee, which expressed confusion about the scope of Cyber Command and its future.
“I need some clarification on what your responsibilities are in Cyber Command,” Sen. Angus King, D-Maine, told Rogers. “Are you responsible for protecting this country from cyberattacks on public records? Or is it simply government networks?”
Part of the confusion originated in Rogers’ position as commander of Cyber Command, as he is also the director of the NSA.
“I find it harder and harder to justify you having two jobs,” King admitted. He and others expressed interest in elevating Cyber Command to a full command position.
“The combatant command designation would allow us to be faster,” Rogers noted, but he emphasized that Cyber Command was not mature enough to operate entirely on its own, and that the process of transitioning would prove less than ideal for the efficiency of the program. In fact, Rogers said that many of the issues addressed by senators in the hearing, though important, were outside the current mission set of the Command.
Sens. James Inhofe, R-Okla., and Jeff Sessions, R-Ala., addressed a recent GAO report, “DOD Needs to Clarify Its Roles and Responsibilities for Defense Support of Civil Authorities during Cyber Incidents,” in their questioning. They worried that if agencies like the Pentagon didn’t have a clear designation of command when it comes to cyberattacks, they would end up far more vulnerable to the negative consequences of such attacks.
“I’m always concerned about a clear chain of command and clear articulation of capabilities,” Rogers said, but he also expressed more worry in gathering the right individuals to respond to such attacks, rather than who was in charge.
“I am very comfortable with where we are on the uniform side,” Rogers said. “The greater area that we have to look at is on the civilian side of things.” He told the committee members that concerns of budget and sequestration caused many civilians to question the security of working in Cyber Command.
Though the program is meeting current employment goals, Rogers worries that he may not be able to get access to the very specific skill sets needed in the future and that can only come from the civilian side. For example, he found that the private sector brings technical innovation, intellectual innovation, and a new perspective to military cybersecurity. The inability to attract or retain that perspective could prove highly problematic.
“I can replace equipment,” Rogers said. “It can take years to replace people.”
Both Rogers and the committee members wondered what scope that cybersecurity would take in the future and where Cyber Command would fit into that scope.
Sen. Tim Kaine, D-Va., questioned whether there might be need for a cyber academy to be established, similar to that of the Air Force Academy’s creation after World War II. Though Rogers thought this idea might divert cyber perspective, he said that more needed to be done “to urge us to think more broadly than Cyber Command.”