NSA Dir Mike Rogers and former NSA Dir Michael Hayden

Oct 24th, 2017 Cyber Command, Cyberwar

Navy Adm. Mike Rogers, U.S. Cyber Command commander, National Security Agency director and Central Security Service chief, participates in a panel with former Director General Michael Hayden on breaking the cyber barrier at the Air Force Association’s Air, Space and Cyber Conference in National Harbor, Maryland, Sept. 19, 2017.

For students of IST 728 / and LAW 832, Hayden speaks on whether cyber is a separate domain from 6:42 to 11:50.  Note “a lot of his [Adm Rogers’s] capacities right now are actually limited by policy, and sometimes law,” and Hayden’s position on encryption and the Apple v. FBI controversy.

Closed caption transcript (not guaranteed to be accurate):

– It’s my honor to welcome you today, and it’s my greater honor to introduce a panel of clearly the world experts on the topic that we’re exploring today, and that’s cyber security. There’s not one of us that’s not touched by these important issues that face us both technically, and from a human factors perspective.

I’m thrilled, and I’m not one given to use superlatives to introduce these two world experts with us today, Admiral Mike Rogers, the Commander of U.S. Cyber Command, the Director of National Security Agency, and the Chief of the Central Security Service. Would you join me in welcoming Admiral Rogers, please? (audience claps) We’re equally honored to have with us General Mike Hayden, who’s currently the Principal at the Chertoff Group, and previously served as Director of the Central Intelligence Agency, and the National Security Agency. Would you join me in welcoming him as well, please? (audience claps) Now the rules of engagement are very simple, and they are whatever Admiral Rogers and General Hayden want to do. We will first hear from Admiral Rogers, and then we’ll hear from General Hayden, and after their prepared remarks, we welcome your questions. You should have little cards on your chairs. We have people in the audience who will collect those and deliver them to me, and then we’ll moderate the question panel. Admiral Rogers, thank you sir, and over to you. – All right. So first and foremost, thank you all for taking time from busy lives to spend some time. For my Air Force teammates, it’s an honor to be with you all today. I’m a member of the joint force, so to speak. I was literally just thinking to myself, out of 36 years commissioned service, I’m at about 15 years of joint service right now. So I have spent a lot of time in this environment, and had the opportunity to work with Air Force teammates as both Commander of the United States Cyber Command, where we have an Air Force component, as well as the Director of the National Security Agency, where we have 25th Air Force as the Service Cryptologic Element Commander for the Air Force. It’s been an honor to work with my Air Force teammates, and I thank you for your willingness to spend some time. It’s been great to watch Air Force in its cyber journey. This is a topic that General Goldfein and I spent a lot of time talking to each other about, as well as 24th Air Force about, so how as a service, is the Air Force going to realize its vision about cyber, and how does cyber fit in the broader set of activities that the Air Force is engaged in to help this nation execute, and the department execute its primary missions. I’m gonna focus on the cyber security piece a little broadly, and not be so service specific, although I welcome any questions you have. I will say it is great to see the internal dialogue and the ongoing evolution of cyber within the Air Force. I view that personally as a positive, and is one of the things I try to tell leaders is we are on a journey, and where we are today in cyber is not where we’re going to be two years from now. It’s not where we’re gonna be five years from now. The idea that we are gonna stick to a specific construct, a specific set of operational practices, or a specific set of skill sets over time I think is very flawed. We have got to get used to the idea of change as a normal component of this mission set, and what are the implications of that change from how you build with your human capital, how you build a mission team, what are the capabilities you need? How do you organize, whether that be formally, from a command and control perspective, all the way down to the tactical seam? How do you organize to execute the mission? We’ve already seen significant changes in the evolution of cyber in the last few years. I’ve been the commander now for three and a half years. It’s amazing to see the journey, the real focus between General Hayden and I today, is focusing on cyber security, and the kind of broad fundamentals I would highlight are number one, it’s about the ability to bring together multiple perspectives, and multiple organizations to achieve the desired outcome. The idea that the DOD all by itself is just going to defend its networks, I don’t think that’s gonna get us where we need to go. We spent a lot of time thinking about what are the skill sets, what are the technologies, what are the capabilities that reside outside the department that we need to try to access or integrate into our scheme of maneuver, as we’re trying to figure out how we defend the department. I would urge us to think about defense more broadly. One of the things for Cyber Command, one of the goals that I’ve set for the coming year is how do we migrate from a focus on the defense of networks and how do we think more broadly about how we defend networks, combat systems, platforms, and data? To me, those are the four, when I look at what should we be focused on defending, those are the four things that I tend to focus on, networks, platforms, weapon systems, data. So as we’re trying to build the future for us from a joint perspective, within the DOD, we are very focused on those four areas increasingly. We’re also asking ourselves, so what do we need to evolve to? What does the future look like? ‘Cause as I said, it’s not necessarily where we are today. I’m very grateful, we got a department leadership that is very much telling us as commanders, as intelligence professionals, you’ve gotta be open to the idea the future’s going to be different than the past. The underlying principles remain fairly consistent over time, but the way we go about achieving them, the way we organize to achieve them, that evolves over time. With that, I very much look forward to your questions, and look forward to what we’re gonna hear from General Hayden. – Thanks very much Admiral Mike, and I’m really happy to be back among a bunch of familiar faces. This is really very nice. The Admiral mentioned that his writ goes beyond the Department of Defense, specifically said, the capacities on which he will have to rely to do his mission. Many of them are being created beyond DOD perimeters. Let me dwell on that, as kind of the private sector guy for the moment, on today’s panel. Look, there are certain things only governments can do. So let’s make sure we fence some things over here. That’s only government activity, and Mike, if you look at his testimony, particularly the last year of the Obama administration, it hasn’t been so much a focus so far during the Trump administration, but Mike has talked an awful lot about expanding his writ, or expanding our understanding of definition of reliance on willingness to use cyber deterrence, rather than just defending at the perimeter wire. So I totally agree. A, there’s some things only governments can do, and I agree with the Admiral, we need to explore some of those things further, because a lot of his capacities right now are actually limited by policy, and sometimes law, that we might want to consider. Beyond that though, let me also talk about how much in this domain we will be relying on the private sector, and so I’m happy to talk to the Air Force Association, which is a government industry partnership, an activity that’s got things like CyberPatriot, that’s trying to raise the national water level of cyber security, not just narrator defined, military, or Air Force. Let me work a little bit without a net, be a little bit provocative, a little forward leaning. You know when I went down to San Antonio, and entered this university for the first time about 20 years ago, my new team down there said, “General, take out a clean sheet of paper, “a number two pencil and write this down. “Land, sea, air, space, cyber. “It’s a domain, it’s an operational environment, “we’re gonna go fight there.” Now that’s become accepted U.S. military doctrine, but it had it’s origins down in San Antonio, with what was called then, the Air Intelligence Agency. I naturally assumed, as a near four decade government guy, that defense up here in the cyber domain would look a lot like the defense down here in physical space. In other words, it’s all about the government providing a security, the way we look for the government to provide security in our air space, or on the ground, or in our maritime borders, and so on. Over time, I’ve come to realize that may not be true. In other words, the main effort down here was the government, and the private sector should tuck in behind the government in a support role. This audience knows this better than most I talk to. You know, you get that op order out of the joint chiefs, and there’s a paragraph in there about command and control, and there’s very clear guidance. You are the supported command. You are the support team commands, or you know. Since we’re near a civil war battle fields here, we can pull out an op order from Robert E. Lee, and say, “Sir, your core, sir, your core is the main body, “and you gentlemen, will conform your movements “to the movements of the main body.” Again, because of my habits down here, I thought in just about every case, the main body for defense up here would be the government, and industry private activity needs tuck in. I’m no longer convinced of that. I actually think in many day-to-day circumstances, the not first, but only line of defense, as a practical matter, will be what we can achieve by and through our private sector. Therefore, I call on people broadly in government, not just the commander of Cyber Command, but broadly in government, so if you begin to realize that, accept that, what is it you need to do to empower, or put another way, remove impediments in front of the private sector, to be all they can be, to provide the kinds of defense that they may be the only ones who can do it up here. Again, working without a net, I’m gonna use one very specific example. Recall San Bernardino, recall the cell phone, recall the steel cage death match between Tim Cook at Apple, and Director Comey over at the FBI, with Director Comey needing, legitimately needing to get into the phone for forensic, evidentiary, perhaps warning of future attacks that may be in that phone. It surprised a lot of people that Bill Linn, Mike McConnell, Keith Alexander, Mike Chertoff, and Mike Hayden all shaded towards Apple, and we didn’t do it out of civil liberties concerns. He was dead. He doesn’t have any privacy rights any more. We didn’t do it for Apple commercial concerns. We did it on raw security grounds. Despite Jim Comey having a legitimate need for that information, one needs think two, three, or four times, before meeting that legitimate need, you make it harder for American industry to do what it was I just said to you, I think only American industry can do, which is to raise our overall cyber security level. Different circumstances, I may have voted a different way. All I wanted to do by introducing San Bernardino, was to simply suggest in this domain, that public/private thing may actually be a bit on its head from time to time, and we need to be aware of that, otherwise, we just won’t be all we can be in keeping ourselves safe. Thank you. – Thank you gentlemen. – Sir, since you’re up. – I’m up, yes sir, I’m up, and I am delighted that we are overwhelmed with a stack of questions that won’t quit. Of course I’ve reached the age where I cry at Walmart grand openings, but I’m getting dewy eyed here, just looking at them. The first question, I’ll direct to Admiral Rogers. “Sir, what hasn’t been mentioned here today, “but is a very important topic, and that’s infrastructure “the scathe of stuff, supervisor control, “and data acquisition, pipelines, power grids, “water systems, the infrastructural issues “that are associated with that. “Do you think we have sufficient national policy “to address that, and how do we bridge between government, “between the military, and the private sector, “and the public service sector, to make sure “that we treat those as urgently as we should?” – So, I think in some ways this goes to a point Mike made. I think one of the challenges of cyber is it is going to force us to get out of many of the traditional definitions that we have used to define responsibility, to define privacy, to define role. If you look at, let’s say power. If you look at critical infrastructure for us as a nation, from a DOD perspective, challenge them. Number one, you gotta acknowledge it is resident in the private sector. It’s not resident in the government. Therefore, you’re trying to ask yourselves, so how do we apply government expertise in partnership with others, to defend something, which is not within the government’s control, or day-to-day knowledge in many ways. As General Hayden said, I think the challenge then becomes what’s the construct within the framework? What’s the construct that generates the best outcomes. It isn’t to me that, hey I’m the DOD, I’m the 800 pound gorilla. I show up, okay we understand command and control. We understand how to deploy capability. We understand how to rapidly surge to defend or to exercise, or deal with problems. We got it now. That is not the way we’re gonna need to do this. I think it’s about a true partnership. The second point that I try to make is my military experience has led me to believe you are not the probability of a successful mission outcome is not particularly high the first time you’re dealing with the problem, or a set of partners is in the middle of a crisis. That is not the way to maximize the probability of a successful outcome. So, as we’re working in Cyber Command, as we’re working DHS, as we’re working with the private sector, we’ve identified actual, a couple ongoing… We just started this within the last couple months, where I’ve argued, let’s pick a couple test cases within the 16 currently defined sectors as critical infrastructure for the nation, between that sector, a particular element within it, DHS and us, as to how we can actually execute this set of defensive responsibilities, in the middle of a crisis, attack, or incident? I’m looking forward to see how that plays out, because what I hope comes from it, is how do we set up an ongoing, continual evolution that enables us to position ourselves for success in the day-to-day, as opposed to waiting to a crisis to respond? I hope to see some results from that, as we head into the next year. – Let me just add a point to reinforce kind of back to my earlier theme about we’ve got to rethink, and Mike just mentioned that. So that might mean not the DOD, or the government, is a bit more generous with security clearances, or a bit more rapid in sharing classified information. It may actually mean redefining what we mean by security clearances, redefining what we mean by classified information in this kind of world. – Thank you sir. General Hayden, reflecting on your time as an Air Force leader. Of course the Air Force operates two legs of the nuclear triad, the air thread, and ICBM thread, we had a very energetic panel here yesterday regarding strategic modernization. I’d be interested in your, and then followed by Admiral Rogers, your thoughts on the implications of cyber warfare as related to the triad specifically, what are the considerations that we need to take on with respect to fielding modernized nuclear systems, and what are the implications to global threats with respect to cyber in a nuclear world? – Wow, there are a lot of unpacking to doing in that question. So first of all, let me just really quickly address kind of a non-cyber answer. It was the preface to the question, which was, we gotta get back to our nuclear hallmark, and I spent easily a quarter century doing that whether one warhead, three warheads, or 10 warheads in Wyoming, was more or less stabilizing. Remember all that stuff we went through, and balance, and mutually assure destruction. You know, 20 years ago I went, oh man, that’s gonna be interesting for the historians, and a bit surprisingly, and sadly, it is back, largely because of the rearmament of the Russian Federation, and we’re gonna have to go back and reinvest, and modernize, and pull out those old dust covered tombs about nuclear theology, and begin to rethink, again, how we assure stability in a multi-polar nuclear world. That’s a sadness. We’re gonna have to go do it, but now it’s made more complicated, because you’ve got this added dimension of the cyber aspect. Very quickly, two things come to mind. One of the things we prided ourselves on in the nuclear world, and the nuclear era, was our positive control over our nuclear strike forces. We knew when to launch, how to launch, and kept them completely under our control. They were totally reliable, they would respond to the order, and they would not respond to anything that was not the order. We spent the gross domestic product of a midsized country making sure that was always true, and now that’s gonna be more difficult to make true in a cyber world. That was one additional concern that didn’t predate the current world. The other is, what could, and here I might actually defer to Mike a little bit, because he has talked about deterrence, and we need to think our way more through cyber deterrence, and I’m really interested in what he has to say, so what aspect of the cyber domain might actually contribute to the broader theory of deterrence, which back in the day, we totally relied on our nuclear strike force to perform? I think there’s an awful lot of thinking to be done about not just protecting our command and control, but how our offensive cyber capacity might actually contribute to what it was we formerly relied only on the physical destruction or our nuclear forces. – So, as I look at it, it’s a little bit like one of my opening comments. When I look at the nuclear triad, I think to myself, how do we ensure that it has assured command and control? How do we ensure that the platforms and the capabilities are in fact safe, and are ready to execute as directed by National Command Authority? How do we make sure that the data associated with that evolution is non-corrupted, is accurate, and has not been accessed or manipulated in any way by anyone other than the intended recipients. That same challenge arrives at, look think beyond just the network piece. I look at the nuclear world, and I think you guys are a microcosm of this. We cannot just fixate on, well it’s just about the network or the C2 link. I think we’ve gotta think much more deeply than that, and just as we have seen within the nuclear structure itself, we have come to the conclusion, look, we have got to increase the level of investment, and we’ve gotta upgrade the capability to reflect the challenges of today, to assure to continue to assure that this mission set is ready to deliver to the National Command Authority. There’s a cyber component to this as well, and quite frankly right now, we’re working our way right through that right now, as a matter of fact. It’s something that General Hyten and I, the Stratcom Commander, as well as my broader teammates within the DOD, we’re spending a fair amount of time right now asking ourselves, so what are the cyber applications of this? – Thank you sirs. This next question I’ll first direct to you Admiral Rogers, and there’s an abundance of questions here regarding the interface between, government, military, and the civilian sector. I’ll synthesize them into this one question. How do we define the boundaries of information sharing with respect to threats, with respect to threat remediation, with respect to actions that we can and can’t take as a nation. The financial sector is understandably a little reluctant to share too much, because of the effects on the financial markets of knowing that there are attacks that are happening. But could you share with us your insight sir, on what’s being done to share information on threats, and to share information on remediating those threats? – So I think General Hayden made a very important point here. I think over time we’re gonna need to redefine, so what does classified information really mean? What does information sharing really mean? As I’m talking to the private sector about given DOD’s mission to defend significant infrastructure, the 16 segments that I’ve identified as critical, against cyber incidents of significant consequence, how is the DOD gonna execute that, and clearly the ability to share information in a timely way, that’s focused on generating mission outcomes, is very important, and the ability to execute that. One of the things I tell my private sector partners is, what I need knowledge of is your network configuration, your network activity, and I need to get a sense for what are your critical paths? Where is your most critical information? If I can get access to that, I think we can work together and I can help with your challenge set. The flip side of that, is I’m gonna look. I don’t need to watch, or necessarily have access continually, to your internal business processes, and the data often associated with that. That’s not what we need to execute our ability to defend. The other point I try to remind people is, so what does defend mean? My argument would be what the DOD, and as an intelligence professional, what we bring to this defensive mission is expertise and knowledge of the potential actors and opponents, the way they operate, maneuver, and the skills that they bring, and the tools that they bring, combined with our knowledge of networks, and schemes that maneuver within networks. That’s what we’re gonna bring to the table to try to assist, but the flip side is, I don’t have detailed knowledge of the particular network configuration. Again, that’s one reason why I’m arguing, we need to practice, work together on a continual basis, gaining knowledge of an opponent while you’re moving to contact against that opponent is a terrible way to learn. It generally leads to higher casualties, greater costs, greater probability of mission failure, at least longer to do the mission. I’m not interested in doing, you know, discovery learning, while your moving to contact against an opponent if I can avoid it. So when it comes to information sharing, I’m always interested in what can we do working together, what insights can we provide each other, because that’s another point I would make. You can’t think about information sharing as just, well it’s just the government providing insights. It’s got to work both ways, because quite frankly, in the private sector has data and insight, that without access to, we’re sub-optimized to defend the nation. I want to take advantage of the data analytics. I want to take advantage of the computational capability. I want to take advantage of the kind of capabilities that we can bring, that are a real plus to a network we’re trying to defend. – If I could add just something from the backside of this, as Mike said, we need stuff from these guys. What of our current regulatory environment, be it about competition, or antitrust, environmental regulations, and so on, all put out there for absolute legitimate reasons, have the inadvertent effect of slowing down cyber cooperation within a private sector sphere, within the financial services community, and back to my earlier point, one of the things we might want to do is in what ways do our old approaches get in the way of the private sector doing the kinds of things that we really want them to be able to do up here in this domain. – One other point, Sony is very instructive to me as a real world example, so November, 2014. It’s hard to believe we’re coming up on three years, when Sony is penetrated by the North Koreans, both for the extraction of intellectual property in the form of films, for the extraction of information in the form of company emails, and company insights, as well as then the launching of two destructive viper malwares, that end up destroying laptops, and portable devices associated with Sony. When Sony reached out to the federal government and said, “Clearly we’ve been hacked. “We’ve got an offensive act, “and we’re interested in government insight “to help us understand what has happened, “how do we make sure it doesn’t happen again, “and quite frankly, “how do we drive them out of the network?” You know the first discussion from my perspective was the only way this is gonna work, is if we are open with each other. If we can’t do that, this is a waste of capability. We’re not gonna be able to help you with the insights you need. To their credit, it’s one of the best relationships I ever saw. I mean talking to the general counsel, talking to the CEO, largely, not necessarily me personally, with the immediate feedback, we will give you access to whatever you need. What we ask is you’re very up front with us about what access do you require? Why do you require it, and how do you intend to use the data? After a very quick discussion, it was let’s roll up our sleeves, and let’s go. I just love that. It’s one of the best real world examples I’ve seen with the private sector, where we were able to very quickly then determine who is the actor? How did they gain access? How did they maneuver within the network? What did they do the network? How could we make sure that we could help Sony have confidence that they were no longer in the network? We were able to achieve those outcomes, in part because of this willingness to flow data back and forth between us. – Thanks sir. General Hayden, I’ll direct this first to you, of course, Title 10 charges the services with organizing, training, and equipping. One of the portions of that equipping cycle is of course the acquisition process. Do either of you gentlemen have a perspective on do we need fundamental changes in the way that we organize, train, equip, and acquire as part or that, to reflect the dynamism of cyber systems, and how quickly they change? – Yes. – Yes. – Now let me ask a follow-on question, what would you recommend as changes, and what specific areas in the acquisition process would you consider those most right for improvement? – I’ll go first, but Mike’s got the current answer, and he should give the lengthier, more definitive response. Again, we’re without a net here, all right. As Cyber Command goes forward, and now it’s a full unified command, and then one day, maybe soon, maybe not, it becomes a separate from NSA. I think one thing that’d be really interesting to explore would be MFP 12, so that we treat Cyber Command, because of the character, the nature of its mission, the way we experimented with SOCOM, with tremendous effect and success, because we gave the combatant commander some acquisition authorities that combatant commanders have never had before. Again, Mike’s current. He knows more realities than I do about the current atmosphere, but as a concept, I really would consider a fully mature Cyber Command having acquisition authorities that jump over, then train, organize, and equip function of the traditional military departments because of the speed thing. – To go to the acquisition piece, the way that we’re currently structured, the way I’d say it is number one, we’ve got to fundamentally change this construct. I’m not an acquisition professional, but the way I phrase it to people, is if you look at the criterion for success, for most acquisitions, it is did you deliver on time, at cost, and did you meet the operational parameters as specified in the proposal, so to speak? The criteria that I don’t see, and I often say is, so if you want to change culture in my experience, and you want to change bureaucracy, you incentivize the behaviors, and reward the behaviors that generate the outcomes you want, and you de-incentivize and penalize the behaviors, the joinery outcomes that are not consistent with what you’re trying to achieve. So we need to change culture, cyber security needs to be a fundamental aspect of how do we define success from an acquisition perspective? It’s not necessary now. Secondly, I have also tried to argue because of the changing nature of the cyber dynamic, the idea that you are gonna deliver a product capability, or platform, at a particular point in time, and then slap your hands and say, Cyberwise you’re good to go. That’s not gonna work, so one of the things I talk about is that we need to change the life cycle approach to the development and fielding of capability in the department, from a cyber perspective, given the rate of change in this environment? Right now, the acquisition world isn’t really set up to do that. It’s not a complaint, it’s an observation. It hasn’t had to really work in that world to the same extent. So to me, we’ve got to change that, and then the other thing for me as a commander is, and it goes to a little bit about what Mike just said, we historically, and I say historically, have structured an acquisition process that was at its heart really designed to generate capital intensive capability, that took extended periods of time, with great complexity, and therefore you built that into the process. While I acknowledge that some of the cyber capabilities we need have complexity, they’re not necessarily capitally intensive in the same way. They don’t require the same length of duration to generate, and so another part, and you’ve seen this with MF 11, and what SOCOM has been able to do in the special forces arena, how do you over time, generate that kind of capability for the department? You’ve already seen where congress within the last 18 months on a kind of test basis has granted Cyber Command initial acquisition authority, and initial set of funding, as a matter of fact, to kind of flush and test this concept out. As a commander, I’m really interested for us as to how we flush this out over time. – We had bit of a kind of a Paleo example of this when I was director, and if I read the Trade Press right, I think NSA has just extended the contract for what was known as the Groundbreaker program when I was director. In order to focus on mission, we outsourced all of our own IT. All the workstations, all the phones, all the networks connecting them, including the classified networks, we just gave to the private sector, because we could not manage their modernization within government procurement cycles. Again, that’s kind of a baby step. It’s our IT, it’s not their IT that we’re trying to attack. That has been successful enough that it has been extended. – Gentlemen, and General Hayden, you mentioned Cybercom’s elevation to a full unified command status. One of our attendees would be interested in your perspectives, both of you gentleman, on what’s good about that, and maybe what concerns you about that change for Cybercom? So General Hayden, if you’d care to lead on this one. – Sure, very briefly, because this audience knows this part of the bible here. When I got that first briefing in Texas, land, sea, air space, cyber, it’s a domain, General, welcome aboard. That set in motion a train of inescapable logic that we we would organize to fight in that domain with a separate command. Once you accept the fact that it is a domain, there is no one who has ever been an American GI would doubt sooner or later, you’re gonna end up with Cyber Command. I got again, the first version of it with the unwieldy name of Joint Functional Component Command Net Warfare. In late ’04, early ’05, Jim Cartwright at Stratcom, I got a direct line Title 10 authority to Mike Hayden at Fort Meade, where Mike Hayden could then use the resources that were already there under Title 50 funding, to actually do Title 10 break things, kind of things, rather than just spy on things, kind of things. That is just a natural evolution, and so to answer your question very straight forward, this is an absolute inevitability. To me the easy step was the elevation. A little more controversial, but I still think necessary step is the breaking of the linkage between the person of the commander and the person of the director. The way I would put it is, the current structure is overburdening for one organization, and the training wheels are getting in the way of the other organization, getting up to actual speed. Here’s the guy who’s living it. I’ll let Mike comment. – So the current structure today reflects the fact, number one, we acknowledge it was a domain, therefore we felt as a department, you need a very traditional war fighting construct for how you’re gonna execute outcomes in this domain, thus was born the idea of Cyber Command. At the same time, seven years ago, when we stood it up, we also said, let’s take advantage of the investments, expertise, and capacity, that was already are resident within the DOD. When we asked ourselves, where is that center of DOD gravity in cyber, seven years ago, the answer was National Security Agency out at Fort Meade, which is a combat support agency, although it’s an intelligence organization. It is a combat support agency that works for the Secretary of Defense. We spent the last seven years in this construct now of, so how do your operationalize cyber outcomes within a very traditional, war fighting structure, at the same time that takes advantages of expertise, investments, capacity, and capability, and we’re now at the stage where we’re asking ourselves, are the assumptions in the environment that drove this construct seven years ago, are they still in place today? I don’t want to get ahead of the leadership, as this is an ongoing topic. In fact if you read the President’s Memorandum on the 15th of August, on the White House site, it’s online, in which he directed Cyber Command would be elevated to a combatant commander. He also said to the Secretary of Defense, I’m looking for your recommendation as to what the future alignment between these organizations should be, and if you recommend that the current alignment be changed, what would your plan be to do so? So as a department, we’re working our way through that right now. That is an ongoing process. I would just say, let’s let it go through that process, but to me, it also goes to one of my previous comments. We have got to be open to the idea that we are continually evolving in this construct, and look how fast it’s gone in just literally, just over 10 years. We went from a functional component aligned against co-com, to alignment with Title 50 authority and capacity, to also then saying, well, let’s use a very traditional war fighting construct in the form of a sub-unified, to now let’s go to a combatant commander, and I think that the next question in this evolution is, does that alignment still make sense as we’ve evolved a very traditional operational function? I just think that the rate of change I tell people in the life of the DOD, you just take a look at the last 10, 12 years in this mission set, and you know, Mike I’m at my 36 year of commission service. I am blown away by the rate of change, particularly against tradition of bureaucratic timelines. – I want to double down on what Mike just said. So I started with JFCCNW, Joint Functional Component Command Net Warfare. Title 10, work for Stratcom, use that to save resources. There’s stuff in front of that. There’s stuff that predates that, something Ken Minihan launched, called the IOTC, the Information Operation Technology Center, which fundamentally was an underground secret effort to develop cyber weapons under the rubric of an espionage agency out at Fort Meade. I mean it was literally slight of hand, because Ken saw, Ken Minihan saw, that, to get into theology very briefly, if you can exploit another’s network, you’ve already done the operational and technological heavy lifting. The actual attack is a subset of the reconnaissance up here, in the cyber domain. So Ken recognized people were gonna be coming to our door about this, sooner or later, and he wanted this small group, it was only about a couple hundred people. I inherited it, and I’m the one who turned the IOTC into Joint Functional Component Command Net Warfare, but there were people, visionaries like Ken Minihan, who saw this coming. Now the punch line is, that is a total of 20 years ago, and in terms of the glacial pace of many things within the Department of Defense, that’s amazing. – Thank you sirs. Another one of our attendees, and I’ll direct this again first to Admiral Rogers, the theme of this conference is Breaking Barriers. I’m interested in both of your brief perspectives on what’s Nervana, if there is one, with respect to cyber security, and a national cyber posture, when will we know that we’ve arrived, and what are the barriers between where we are now, and where we want to be, and how should we overcome them? Admiral Rogers. – So I always wonder, how do you define arrived? I just tell our workforce, given the rate of change here, you just gotta get used to the idea that the goal line keeps evolving, keeps changing, and arrival, so to speak, isn’t to me, no criticism of anybody, but I try to remind the workforce, I don’t think that’s the mindset we really want to have. We got to acknowledge that, that goal line for us keeps evolving, keeps changing. What do we gotta do to keep getting as close to it as we possibly can? I’ll let you go, because I want to think. There was something that flashed my mind. – Like you said, in this domain, in both the espionage aspect, and the war fighting aspect, all advantage is transient, and frankly, because it’s not capital investment that you described, which is the key to power down here, the advantage is even more transient in this domain. I’ll double down on Mike, the goal lines keep moving. – Gentlemen, on behalf of the entire Air Force Association, I can’t think of a better group of experts to have been brought together than you two. We genuinely appreciates your- – You’re setting your standards very low. – No sir, we are not. No sir, we are not, and as we celebrate the 70th birthday of our United States Air Force, I’m pleased to present you each with a 70th anniversary birthday coin of our Air Force. Ladies and gentlemen, please join me in thanking Admiral Rogers, and General Hayden. (audience claps)

Please follow and like us:

Tags: ,

Leave a Reply

You must be logged in to post a comment.


Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. She is the 2018-9 Editor in Chief of the Syracuse Law Review, as well as a member of the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography


Follow by Email