Adm. Michael Rogers, head of the National Security Agency and United States Cyber Command, envisions a future in which the government outsources the development of its cyber weapons to the private sector.
Rogers said Friday at an event co-sponsored by AFCEA International and the U.S. Naval Institute that he questions whether developing all cyber weapons within government is sustainable. The alternative, which Rogers said could be a reality within the next five to 10 years, would be for Cyber Command to tell companies exactly what type of weapon the agency needed to be built and allow the companies to manufacture it.
“On the offensive side, to date, we have done almost all of our weapons development internally,” Rogers said. “And part of me goes, five to 10 years from now–is that a long-term sustainable model? Does that enable you to access fully the capabilities resident in the private sector? I’m still trying to work my way through that, intellectually.”
Rogers said he wants Cyber Command and technology companies to integrate so that the entities are housed in the same location. For example, private sector partners would be based in Fort Meade, Md., alongside Cyber Command.
“We try to bring all together as much data, as many different perspectives and as many different elements in the broad enterprise that are necessary to achieve the outcome,” said Rogers. “I think we need to do the same thing.”
Rogers said that Cyber Command is made up of 80 percent military and 20 percent civilian personnel. It’s more difficult to recruit civilians, who are often offered higher pay at private technology companies. Close partnerships with private companies could increase Cyber Command’s employee recruitment.
However, some private companies have rejected the idea of harnessing offensive cyber capabilities, saying that their job is to protect consumers from cyberattacks rather than to retaliate.
Brad Smith, Microsoft’s president and chief legal officer, said that the private technology sector should act as a neutral party in the event of state-sponsored cyberattacks, rather than taking sides according to home country.
“Our company is not unique. As an industry, we’ve brought people together in ways that can promote mutual understanding and respect,” Smith said. “We need to harness this global understanding to protect people everywhere, earning their confidence as the world’s Digital Switzerland.”
Jason “Jay” Healey, nonresident senior fellow for the Cyber Statecraft Initiative at the Atlantic Council, agreed with Microsoft by saying that the government should be helping companies prevent and recover from attacks.
“The private sector should be the supported command, not the supporting command,” Healey said.
Peter Singer, strategist and senior fellow at the New America Foundation, said that the U.S. could adopt practices by Estonia’s Cyber Defense League, which employs civilian volunteers with security clearances to find vulnerabilities and to help respond to cyberattacks. The Cyber Defense League is on call at the local, state, and Federal level.
“Offensive action should be governmental, should be military responsibility,” Singer said. “Shouldn’t the private sector be able to hit back on its own? I would argue that’s a very bad idea. It’s a bad idea for the same reason that vigilantism is a bad idea.”
Rogers said that Cyber Command should be given a broader range of duties instead of only calling in the military unit when the mission is specific and highly controlled.
“I would create Cyber Command much in the image of [U.S. Special Operations Command],” Rogers said. “Give it that broad set of responsibilities where it not only is taking forces fielded by the services and employing them, it’s articulating the requirement and the vision and you’re giving it the resources to create the capacity and then employ it.”
Martin Libicki, adjunct management scientist at RAND, said that the rules regarding cyberattacks haven’t been fully defined enough to step up the use of cyber weapons. For example, the United States needs rules about when it’s necessary to retaliate after a cyberattack.
“We have to understand the efficacy of offensive cyber forces,” Libicki said.
Libicki said that the military’s cyber capabilities will deplete if the U.S. continuously sneaks up on its enemies to take down the opposition’s networks. Eventually, the U.S. will lose the element of surprise, which would make cyber methods less effective.