Legislation enabling the US government to share information with companies about cyber threats, “machine to machine and at machine speed,” will be needed to counter the growing likelihood of an attack on critical infrastructure, said Admiral Michael S. Rogers, director of the National Security Agency.
Rogers, who also runs US Cyber Command, testified at a House Intelligence Committee hearing that intrusions into the industrial control systems of sectors such as power generation and water and fuel transportation were taking place and likely precursors to attempts at manipulation or shutdown.
“I fully expect that, in my time as commander, we will be tasked to help defend critical infrastructure in the US by some foreign nation, individual or group,” Rogers said. “We see the capability, acted on and executed, in the corporate sector outside of the US. We see the presence of these actors in our infrastructure. It is only a matter of when, not of if, we are going to see something traumatic.”
A cyber threat bill that has already been approved by the House provides a legal framework for sharing information about attacks and “allow the insights of one to come to the aid of many,” he said.
“We would tell the private sector, here are the specifics of the threats we think are coming at you, what it’s going to look like, the precursor activity, the composition of the malware we think you’re going to see,” Rogers said. In return, companies would report to the NSA what they had seen.
“We do not have a presence on private networks inside the US,” he added, which is why a partnership is being sought.
The bill also provides liability protection for companies, while addressing privacy concerns.
“I have specific protections I must provide to US persons data that would slow us down,” Rogers said. The NSA, a foreign intelligence-gathering organization, faced legal constraints on data collection against individuals or corporations in this country and would not be seeking it in such instances.
The effort to forge a public-private partnership is part of the agency’s mission to protect 16 segments of the private sector deemed critical infrastructure by the president.
“We are halfway through a four-year journey,” Rogers said. The NSA has also been building a cyber-mission force comprising 80 percent military personnel and 20 percent civilians that has both defensive and offensive capabilities.
Retention among the civilians “has exceeded our expectations,” he added. The agency, which cannot compete financially with the private sector, appeals to patriotism and the desire to have more “responsibility at a young age.”
Having defined who would do what in the event of a cyber attack, he said, the government was working out details of execution so that training could begin.
The agency is also involved in international efforts to set norms for cyber warfare.
“There isn’t yet a sense internationally of the risks associated with behaviors,” he said, which leaves us “trying to guess intent, or where things are going to go.”
“We are trying to define when espionage becomes economic warfare,” he said. “We make the distinction between a nation state trying to understand the world around it and the capabilities of a nation state being applied against the private sector of another nation to gain economic advantage.”
This constituted the major difference between the US–which does not accept the second premise–and China, Rogers said.
Regarding attacks on infrastructure, “at what point has a state opened itself up to repercussions?”
These systems “are foundational to almost every networked aspect of our lives, from water to power, finance and aviation,” he said.