The recently departed director of the National Security Agency and former head of U.S. Cyber Command believes the U.S. structure and organization against cyberthreats isn’t up to snuff.
Following his time in government, and after observing several high-level and senior discussions, Michael Rogers said one of the fundamental conclusions he’s come to is “the current structure is not working and it’s not going to work. It’s just suboptimal to me.”
Speaking Sept. 10 at an event hosted by the Aspen Institute in Washington, Rogers said the current structure works against generating the necessary outcomes.
One of the contributing factors, he said, is there is not enough expertise within the senior levels of the government, which lead him to think at times “we’re talking about fundamental game-changing policy that, if we’re honest, we don’t truly understand.”
Rogers believes the right approach is defining the desired outcome first. Suzanne Spaulding, who formerly served as under secretary for the National Protection and Programs Directorate at the Department of Homeland Security and was speaking at the same event, agreed.
Spaulding noted that regulatory authority won’t be able to keep up with the dynamic nature of cyberspace, which as a result should force policy to lean toward an outcome-based approach.
According to Rogers, the approach, be it regulatory incident response or providing technical expertise, will result in completely different structures being needed.
The biggest challenge, and potentially the biggest key to success in cyberspace, is partnerships. Rogers said he sees the biggest challenge to cyberspace in totality is that it forces sectors to get out of the traditional approaches.
The traditional course of thinking about what is the government’s role versus what is the private sector’s role is not going to get the nation to where it needs to be in cyber, he said.
“It’s all to me about integration and partnerships and bringing the right people, the right institutions together in ways that quite frankly we’re just not used to as institutions and we’re not structured well to do it,” he said.
Rogers also wondered how bad it is going to have to get before the nation figures out it has to fundamentally restructure the way things are done.
On the actual operations front, Rogers was brief when discussing the roll back of Presidential Policy Directive-20, an Obama-era policy directive governing the use of offensive and defensive cyber capability outside government networks.
The Trump administration kicked off a new era of government cyber operations by “rescinding” a presidential directive that had restricted offensive capabilities, an administration official told Fifth Domain, but experts warned the move would not be sufficient in detering state-based hacking.
He only offered that he was an advocate for changing PPD-20 during his time in government.
Some of PPD-20’s critics believe it hamstrung the Department of Defense and the government writ large from rapidly responding to or conducting cyber operations abroad.
The former chiefs of the military service cyber components noted that this process was not perfect and there was a continuing dialogue regarding how to speed up decision-making.
As the cyberspace domain continues to evolve, how should the authorities that govern cyber operations also change?
“It’s a work in progress in terms of the way that we’ve approached getting approvals,” then-Lt. Gen. Paul Nakasone, now the four-star commander of Cyber Command and director of NSA, said.