The government’s efforts to deter computer attacks against the United States are not working and it is time to consider boosting the military’s cyber-offensive capability, the head of U.S. Cyber Command told Congress on Thursday.
“We’re at a tipping point,” said Adm. Michael S. Rogers, who also directs the National Security Agency, at a hearing of the Senate Armed Services Committee. “We need to think about: How do we increase our capacity on the offensive side to get to that point of deterrence?”
Rogers noted that the command, which launched in 2010, has focused mostly on defense. But, he said, “in the end, a purely defensive, reactive strategy will be both late to need and incredibly resource-intense.”
His testimony picks up where his predecessor, retired Gen. Keith Alexander, left off. Alexander, who retired last year and started a cybersecurity firm, had long advocated a more robust offensive capability. But concerns over the years from the White House, the State Department and even some within the Pentagon that the use of cyberweapons could trigger unintended consequences and might harm diplomatic relations have slowed their deployment.
Rogers said that President Obama has not yet decided to delegate authority to him to deploy offensive tools.
He indicated that policymakers still were not convinced that it was time. “We’ve got to increase our decision-makers’ comfort and level of knowledge with what capabilities we have and what we can do,” he said.
When asked by Chairman John McCain (R-Ariz.) whether he agreed that the “level of deterrence is not deterring,” Rogers said: “That is true.”
Rogers was emphatic that the threat is growing. Attackers not only want to disrupt, but also establish “a persistent presence on our networks,” he said.
He said that he sees “a strong, direct linkage” between “individual” hackers in Iran, Russia and China and “the nation state directing” an attack or intrusion.
He said the command will watch for signs that foreign governments are trying to confuse analysts by using “partners” outside government so the activity is not as easy to attribute directly to the state.
Rogers’ views on cyber-offense were endorsed by several committee members, most notably McCain, who used the platform to knock the Obama administration’s handling of recent cyber-incidents.
The November cyberattack by North Korea on Sony Pictures Entertainment “has exposed serious flaws in this administration’s cyber-strategy,” McCain said at the hearing’s start. “The failure to develop a meaningful cyber-deterrence strategy has increased the resolve of our adversaries and will continue to do so at a growing risk to our national security.”
Administration officials, however, say that the financial sanctions imposed against North Korean officials following the attack and the indictments last year against five Chinese military officials who were accused of stealing corporate secrets from U.S. companies show greater resolve to hold adversaries accountable.
Rogers has said it was necessary to name North Korea as the country behind the Sony attack to deter other nations from taking similar actions. Naming North Korea as the state responsible for a cyberattack was virtually unprecedented for the United States.
McCain and other lawmakers want to see more forceful action.
“I just think it’s critical to develop an offensive cyber-capability,” said Sen. Angus King (I-Maine ). Moreover, he said, that capability needs to be publicized.
Remember “Dr. Strangelove,” he said, referring to the classic movie satirizing Cold War fears of a nuclear conflict. “If you build the doomsday machine, you’ve got to tell people you have it. Otherwise the purpose is thwarted.”