NEWS AND ANALYSIS:
Deputy Defense Secretary Robert Work this week outlined the Pentagon’s plan for deterrence against cyberattacks from nation states such as China, Russia and North Korea.
In testimony Tuesday before the Senate Armed Services Committee, Mr. Work also confirmed that three major cyberattacks in recent months were linked to China, Russia and North Korea.
“The recent spate of cyber events including the intrusions into OPM, the attacks on Sony, and the Joint Staff networks by three separate state actors is not just espionage of convenience, but a threat to our national security,” he stated.
China carried out the Office of Personnel Management attacks, North Korea hacked Sony Pictures Entertainment, and the Joint Chiefs of Staff email system was knocked out temporarily by Russian hackers, defense officials said.
As a result, the deputy defense chief said the Pentagon, as part of its cybersecurity strategy, is seeking to create a Cold War-style cyberattack deterrence posture that it hopes will reduce such sophisticated strikes.
Deterring cyberattacks remains a deficiency, and critics in Congress have blamed the Obama administration for the lapse by adopting passive strategies against the problem. Instead of using U.S. cyberpower to deter attacks, the administration has relied on ineffective legal action and diplomatic overtures.
The result has been an increase in the scale and sophistication of cyberattacks regularly carried out against government and private-sector information networks.
Navy Adm. Mike Rogers, commander of the U.S. Cyber Command, has been one of the leading voices within the administration pushing for a stronger deterrent posture against cyberattacks. He has said the cost of conducting attacks is too low for adversaries to stop.
“I want to acknowledge upfront that [Defense Secretary Ashton Carter] and I recognize that we are not where we need to be in our deterrent posture,” Mr. Work said.
He then laid out how the Pentagon plans to boost cyberattack deterrence.
“Deterrence is a function of perception,” he said. “It works by convincing any potential adversary that the costs of conducting the attack far outweigh the potential benefits, and therefore, our three main pillars of our cyber deterrence strategy in terms of deterrence are denial, resilience, and cost imposition.”
Mr. Work said deterrence is “having to demonstrate the capability to respond through cyber and non-cyber means to impose costs on a potential adversary” — something the administration has not done.
The Pentagon now has options for holding cyberattackers “at risk,” but how that would translate into action is something Mr. Work did not specify.
Adm. Rogers, at the same hearing, said: “We are hardening our networks and showing an opponent cyberaggression won’t be easy.
“I think we have to clearly articulate that, as a nation, we are developing a set of capabilities,” Adm. Rogers said. “We are prepared to use those capabilities if required.”
Asked what actions would be taken and whether it would be diplomatic downgrading of foreign relations or offensive cyber counterattacks, Adm. Rogers said, “potentially all of those things.”
According to defense and intelligence officials, President Obama for the past several years has rejected cyber counterattack options on several occasions as a U.S. response to Chinese hacking.
Mr. Work said cyber counterattacks “may be an option.”
That prompted committee Chairman John McCain, Arizona Republican, to say: “That’s not a policy, Secretary Work. That is an exercise in options. We have not got a policy, and for you to sit there and tell me that you do a broad-stroke strategy is frankly not in compliance with the law.”
Mr. McCain pressed the deputy secretary to produce a congressionally mandated report outlining Pentagon counterresponses to cyberattacks. So far, the report has not been produced.
NSA SECRET REORGANIZATION
Despite the need for better intelligence and cyberwarfare capabilities, Adm. Mike Rogers, who, in addition to being commander of U.S. Cyber Command, also directs the National Security Agency, revealed recently that NSA’s budget has been reduced for five years in a row and that its workforce has not been increased.
Asked by Senate Select Committee on Intelligence Chairman Richard Burr, North Carolina Republican, what his most serious resource problem is, Adm. Rogers said: “Requirements far exceeding resources.”
The four-star admiral added: “If you look at the growth of cyberchallenges, you look at the proliferation of communications technology, trying to stay on top of this with a workforce that has not grown.”
Adm. Rogers then said for fiscal 2016, which begins Thursday, the agency will see whether spending for the NSA will continue its decline.
“We’ll see how the budget comes out, but we project this will be the fifth straight year of a declining budget,” he said. “And so one of my challenges as a leader is, how do we continue to generate the insights the nation is counting on, even if the resources that we use to generate those insights continue to decline?”
The comments cast doubt on the Obama administration’s stated policy of making a top priority of stopping cyberattacks and defending U.S. networks.
Since the 1980s the NSA has been the nation’s premier cyberwarfare and cyberintelligence-gathering organization, whose capabilities for defense and offensive are said to be extremely robust.
Adm. Rogers also said the NSA is undergoing a secret reorganization that will shift its focus toward cybersecurity. With some 40,000 employees and facilities in 31 states, the agency has “a global presence that spans the world,” he said.
In his 18 months as director, Adm. Rogers said, he spent a portion dealing with the fallout from leaks of top-secret documents spilled by former NSA contractor Edward Snowden.
The director said he has used an intelligence agency crowdsourcing plan for NSA reorganization that posed questions to workers.
“If we stay exactly the way we are, if we change nothing in five to 10 years, are we going to be able to say that we are the world’s preeminent signals intelligence and information assurance organization? I’m asking you this question because my concern is, if we make no changes, I don’t think we’re going to be able to say that, and I believe that part of my responsibility as a leader is, whenever I turn the organization over, I want to be able to tell whoever relieves me, ’You should feel good we structured this so you’re ready to do what you need to do,’” Adm. Rogers said.
NSA electronic spies were asked a series of questions on how to build an NSA for the future and what the organization should look like, with a focus on developing cyberspace capabilities. Adm. Rogers said the shift will be on par as a priority to the role of counterterrorism over the past 15 years.
“It will be a foundational mission set that drives us as an organization, and it will require us to do things on a scale we have never done before and to do it more broadly,” he said, adding that doing more with less will be the rule.
Some 200 recommendations for reforms have been drafted, and more are expected. Using more military personnel, along with civilians and contractors, will be part of the plan. NSA’s last reorganization was in 1998 and 1999. A draft of the reforms was to be ready by Oct. 1.
An NSA spokesman declined to comment on the reorganization plan.
• Contact Bill Gertz on Twitter via @BillGertz.
• Bill Gertz can be reached at bgertz@washingtontimes.com.
Please read our comment policy before commenting.