5 February 2014

The Man Who Would Be King of Cyber


His eyes are set deep, shrouded in heavy bags that betray the sleepless nights he’s spent at his desk without complaint, according to those who have worked with him. He likes to quote movies, a tic that’s common among Navy officers, and has a penchant for stuffing conversations with film references and an easy laugh, but is driven by what he views as a mission to advance the operational use of cyber.

Vice Adm. Michael Rogers is slated to be the most powerful man in the world, at least as far as the cyber domain is concerned, in March when he talks the reins from Gen. Keith Alexander and becomes the man in charge at the National Security Agency (NSA) and US Cyber Command (CYBERCOM). The dual-hatted job rules both the intelligence and military world of cyber, responsible for protecting critical national security interests from the constant barrage of attacks and incursions emanating from all over the world (but mostly China), and for attacking when the president sees fit. The role is also thoroughly under the microscope of Congress following disclosures by Edward Snowden about how and when the US intelligence community tracks communications.

Rogers, likely knowing that he was in the process of being groomed for continued advancement, has kept out of the spotlight in recent years, despite taking over as head of the Navy’s Fleet Cyber Command in 2011. He rarely talks to reporters, gives speeches, or otherwise postures in public.

He’s fairly good at it though, coming across as personable and knowledgeable, maybe harkening back to his high school days when he “enjoyed participating in the performing arts and broadcasting,” according to the program for a 2012 ceremony where he was honored by his high school. The same program, likely a bit tongue-in-cheek, notes that during his tenure “he managed to avoid significant notice or accomplishment.”

On his strolls through the halls of his school located on the north side of Chicago, he likely would have bumped into his fellow class of ’77 graduate and another future power broker, Rahm Emanuel. There’s no obvious indication that the two are close, but Emanuel, former White House chief of staff and Obama administration power broker, would have been a useful ally during Rogers’ rise to command over the last couple of years.

But regardless of whether he had White House patronage, Rogers has emerged as a favorite of Alexander’s in recent years (along with Rear Adm. Jan Tighe, who’s someone to watch). While the announcement last week that he was being named NSA head and nominated to run CYBERCOM couldn’t have been a surprise, it’s almost certain that he celebrated with his wife of nearly 30 years Dana nonetheless. Dana, although not a cyber expert herself, has an interesting tie to the scandal that will likely shape Rogers’ tenure.

In the late ’90s she spent several years working for Booz Allen Hamilton. A Booz Allen spokeswoman confirmed that the company had records of a Dana Rogers working as a research assistant, although the company wouldn’t confirm that the Dana Rogers on records is the same woman who is married to the new cyber king. A source said that she actually spent a couple of stints working for the company when the Rogers family, including two now-grown sons, moved back and forth from the DC area as part of various assignments.

Even those who don’t follow the national security world know Booz as the former employer of Edward Snowden. It’s also the powerhouse of cyber contracting, headed by several former senior intelligence officials.

Snowden is likely to follow Michael Rogers around, a specter lurking over whatever decisions he makes. In particular Rogers will have to balance the insatiable thirst for cyber intelligence that dominates the military and intelligence worlds, with a renewed interest in privacy by the broader public stoked by the Snowden disclosures.

Rogers, even before the Snowden documents saw the light of day, already understood that he has to walk a careful line. In March of 2013 Rogers spent an hour with reporters and editors from Defense News and sister publication Navy Times. To my knowledge it’s one of the few sit-downs he’s done with a group of reporters in which he addressed some of the issues that are dominating the cyber conversation. Although much of the discussion centered on recruiting for his Navy cyber force, we managed to sneak in a couple of questions about broader cyber policy.

Rogers was unequivocal in his assertion that civil liberties needed to be protected.

Our fundamental premise as a nation in many ways and what sets apart from many other societies around the world is the inherent belief of the rights of the individual. That at its core, the fundamental construct of the United States of America, if you go back to when we started, was the whole idea that even as we created a government, even as we built a structure for governance, we said to ourselves the rights of the individual must remain paramount. We must not allow the power and the structure of the state to, in any way, infringe or remove those civilian liberties. That is the fundamental nature of the American construct. Cyber blurs this a little bit so there is always this tension. It is a healthy tension. I am always mindful. Hey I am very proud of the fact that I wear a uniform and I am a naval officer, but I am also proud of the fact that I am a citizen of the United States. One of the greatest nations on the face of the earth and one of the reasons why it is a great nation is that because it inherently is about the rights of each of us and our structure is designed to protect those rights. It enriches our lives and it has made us the nation that we are because of that. So I do not want to do something that fundamentally undermines that.

But despite his interest in balancing civil liberties and defense needs, he views the world from the viewpoint of a cyber-warrior sources said.

“He sees his duty in a very limited way, that of a uniformed warrior overseeing and operating in the networks,” one source said. “I’m not sure he internalizes the bigger picture of security, our digital future and how this might affect or limit his traditional duty of collecting every international secret.”

The part of Rogers’ operational focused view that might be of most concern to surveillance critics is his notion of the blurring of lines that creates the “healthy tension” between the military and non-military world of cyber.

Cyber is challenging in no small part because it tends to break down in many ways the mechanisms we use to help define problem sets. What do I mean by that? We often use geography for example. If you look at the way the department is structured, if you look at the way my fellow member of fleets in the Navy are organized, we often use geography as a definitional characteristic. Hey, your responsibilities are defined by this geography. Cyber does not really recognize geography. If you look at a cyber event, you will see it generated on a certain spot on the face of the earth. You will see it float through servers in a different country with a different command and control that in turn are directly subordinate computer systems spread across the face of the earth to then achieve an effect at a particular location. That location let us say to the United States for example. You have got a lot of different geography you are dealing with. It tends to take away geography as one tool we use to bin problems.

It also tends to blur the lines between what is military kind of infrastructure and capability and what is civilian infrastructure and capability because that flow point is not using a point that is wholly military. It is using many aspects of existing civilian infrastructure. Again, one of the ways we often bin problem sets is okay if it is a military target, you can do X. If it is a military target, you can do X. If it is not a military target, you can’t do that. Cyber blurs the lines for us. The originator might be a military entity, but the path that this process is taking, the infrastructure it flows through often has no relationship whatsoever to that military entity that said, ‘I want to create this effect in this location against this entity.’ It tends to take away the civil military. It often also tends to blur the line between what is traditionally governmental and what is in the commercial sector because again, it is not necessarily always using national infrastructure. You will see things flow through civilian ISPs, internet service providers. Same people that provide you each of our residences, we have an agreement with and we pay for a service that says I am going to use you as the provider of the multimedia aspects that I am interested in. My home, my mobile device, at work, that is a contractual relationship, many times a contractual relationship with a civilian entity. That same entity is a flow point for a lot of things. So how do you deal and how does our current structure let us deal with that kind of problem set?

It also blurs the line between within our own nation between well what is a DoD function, defense of the nation and what does that mean? What steps are you willing to take to defend the nation in the cyber arena versus functionality associated with the Department of Homeland Security, the FBI? It also blurs the lines between what is a military function, what is a law enforcement function in the cyber arena and what is counterintelligence function?

It’s those points, about the difficulty of isolating military from commercial, about the blended nature of cyber, that are now fully part of the public debate as some members of congress push for reform and the Obama administration does its best to ward off change. While Snowden may be responsible for shaping the agenda that Rogers will face in his new job, the Snowden disclosures may have nearly cost Rogers’ the job as well. Not because of any personal doing, but because the leaks led to a very real conversation about whether the NSA and CYBERCOM should be ruled by one person.

Many of those in the defense community were convinced that the two jobs would be split, including several former senior intelligence officials. They didn’t all think it was a bad idea either, with one telling me that there is simply too much to do in a combined job, and having an extra person would be advantageous.

The original rationale behind having the two jobs combined was that only NSA had the cyber expertise to be able to do the kinds of things CYBERCOM, created in 2009, needed to do. Cyber capabilities, to that point, had largely resided in the intelligence community, which remains one of the reasons those with a background in cyber are so hesitant to speak about it. The old joke about the NSA is that the acronym stood for ‘No Such Agency,’ a reminder of their emphasis on secrecy. But by merging the two jobs, the position gained incredible power, in some ways unprecedented.

White House sources have said that to some degree there’s always been an understanding disconnect, where those in the president’s office didn’t fully understand what was going on up at Fort George G. Meade, the location of the CYBERCOM and NSA headquarters. In the absence of routine needling from the White House, Alexander has been given quite a bit of freedom to shape the cyber agenda. And when the White House has tried to limit his power, the defense world hasn’t always responded favorably.

One of the things that makes Rogers different than the past generation of leaders in the cyber domain is that he has been part of the process of militarizing cyber capabilities. Not specifically in building cyber weapons, but in transitioning cyber into a legitimate military domain. He may have initially been a cryptography officer focused on areas like electronic warfare (EW), but as EW has been merged with cyber and cryptography has become focused on information assurance on computer networks, Rogers has had a front row seat to the rise of cyber.

But just because the technology has progressed, it doesn’t mean that the policy has kept pace. One issue that Rogers noted in the March interview was that there’s a lot of work that need to be done in the area of policy, especially in offensive operations.

What we need to ensure that we have fundamentally addressed are some fundamental questions like when is an action offensive versus defensive? When is an action an act of war? What actions should generate what kind of responses and what level of response? What are we comfortable with in those kinds of broad kinds of things? As we gain a greater sense of what we are comfortable with in those areas, that helps us in a traditional military framework that is okay.

Most of those questions were supposed to be answered in a 2010 review of the Standing Rules of Engagement (SROE), meant as an update from the 2005 rules. But the disagreement over how much authority to grant the military as opposed to the president to respond to cyber attacks, and how to define the murky world of cyberspace, have held up the creation of a new standard.

As Defense News reported in May, several drafts of the SROE were rejected by Alexander’s deputy because they didn’t give the defense community sufficient authority to respond as they saw fit. The White House wanted greater limits. That debate still hasn’t been settled, although a classified policy directive from Obama has mapped out some of the basic concepts of cyber response.

One of the big debates in cyber has been how much authority should remain in the intelligence community vs. the military community. One way that debate was temporarily suspended was by merging the heads of the NSA and the new CYBERCOM, thus allowing one person to navigate the world of cyber espionage, cyber defense and cyber attack at once.

The Snowden disclosures have once again raised that question, about whether so much power should be consolidated in one man. It’s something Rogers will have to work on during his tenure, assuming he is confirmed for the CYBERCOM job (NSA director doesn’t require confirmation, CYBERCOM commander does). That confirmation itself could produce some interesting fireworks, although given Rogers’ sterling record it’s hard to imagine a grounds for refusing to grant him the job. Such a move would have to be political because the confirmation will be for the half of his job that hasn’t been involved in the spying disclosures.

But Rogers, who has played the military politics well thus far in his career, will likely figure out a path to confirmation.

“He was always aware of the bureaucracy and the way that it operated,” a source said. “He wanted to execute it as best he could.”February 3, 2014 in Intelligence, Intercepts. Tags: CYBERCOM, Cyberwarfare, Keith Alexander, Michael Rogers, NSA,Snowden

No comments: