NSA and US Cyber Command boss Mike Rogers has revealed the future direction of his two agencies – and for the private sector, this masterplan can be summarized in one word.
Speaking at the West 2017 Navy conference on Friday, Rogers said he is mulling buying up more infosec tools from corporations to attack and infiltrate computer networks. At the moment the online offensive wing of the US military develops most of its own cyber-weaponry, he claimed, and he figures the private sector has plenty to offer.
"In the application of kinetic functionality – weapons – we go to the private sector and say, 'Build this thing we call a [joint directed-attack munition], a [Tomahawk land-attack munition].' Fill in the blank," he said.
"On the offensive side, to date, we have done almost all of our weapons development internally. And part of me goes – five to ten years from now is that a long-term sustainable model? Does that enable you to access fully the capabilities resident in the private sector? I'm still trying to work my way through that, intellectually."
Businesses already flog exploits, security vulnerability details, spyware, and similar stuff to US intelligence agencies, and Rogers is clearly considering stepping that trade up a notch. For example, in 2013, it was revealed the NSA was buying up exploits from French company Vupen Security.
Vupen has since shut down, and its founders started up a US-based business called Zerodium. That outfit offers security researchers huge sums of cash for details of security bugs in products, and last year offered $1.5m for a remote iOS 10 jailbreak exploit. With bounties like that being thrown around, you can bet the biz is charging its bug list subscribers healthy fees – and the US military, with deep pockets, will only be too happy to cough up, if it isn't already.
"I'm sure US companies are selling weapons to Cyber Command," computer security guru Bruce Schneier told The Register. "After all, why wouldn't they? We contract so much stuff out to private suppliers in the US military anyway."
In 2015, Cyber Command spent $460m on "a broad scope of services needed to support the US Cyber Command mission," according to the US General Services Administration. The specifics of the contract weren't released, but the winners were named as The KEYW Corporation; Vencore; Booz Allen Hamilton; Science Applications International Corporation; CACI Federal; and Secure Mission Solutions.
Bringing the US private sector fully on board doesn't just mean buying from them, but also working with them, Rogers explained.
When it comes to critical infrastructure, Rogers said that he would like to see US Cyber Command and private IT security employees having "a level of integration where we have actual physical co-location with each other."
"How do we take advantage of that and integrate at that level?" he said. "Because as an execution guy, my experience teaches me that you want to train, you want to exercise, you want to simulate as many conditions as you can before you actually come into contact with an opponent."
Rogers also said he's likely to see more help from the private sector on the defense side of online operations. He mentioned getting help on machine learning systems, something the head of Google-parent Alphabet isn't too keen to supply.
Strike Force Cyber
Rogers also outlined his plans to put more online attack tools in the hands of more front-line troops over the next five or ten years.
"We should be integrating [cyber] into the strike group and on the amphibious expeditionary side," he said. "We should view this as another toolkit that's available ... as a commander is coming up with a broad schema of maneuver to achieve a desired outcome or end state. That's what I hope."
He complained that at the moment, the decision to use online weaponry is too much like the use of nuclear weapons, "controlled at the chief-executive level and is not delegated down." That should change in the coming years, he opined, and said he hoped to get them used on a tactical level.
Rogers suggested that lessons should be learned from the US use of Special Forces units. These were previously carefully guarded and rarely deployed. But after the formation of the US Special Operations Command they became integrated with the regular army command structure. Rogers said he foresaw the same thing happening on the cyber front.
"I would create Cyber Command much in the image of US Special Operations Command," he said. "Give it that broad set of responsibilities where it not only is taking forces fielded by the services and employing them; it's articulating the requirement and the vision and you're giving it the resources to create the capacity and then employ it."
That might sound good, but Schneier pointed out that it would mean that the US might be making a rod for its own back. After all, these are not typical weapons to use, and they come with their own set of problems.
"These are fundamentally fragile things," Schneier said. "If you use a cyber weapon you have a very strong chance of rendering it unusable again. Do you want to give some second lieutenant the ability to do that?"
A few good hackers
Rogers said that the training and retention of human talent was going to be essential in the years ahead, and so far Cyber Command isn't having too many problems getting the people it needs, thanks to the unique nature of the job.
"That's a real selling point for us right now," he said. "The self-image of this workforce is that they are the digital warriors of the 21st century. The way they look at themselves – we're in the future, we're the cutting edge, we're doing something new, we're blazing a path. Everybody responds well to that."
He said that he tells staff they can do things within Cyber Command that they wouldn't be allowed to do outside of the military. That said, the force is bound by the Law of Armed Conflict, which limits attack choices to purely military targets.
Cyber Command is currently staffed by about 80 per cent military and 20 per cent civilian employees, he said. By contrast, the NSA is about 60 per cent civilian and 40 per cent military. Getting civilian employees is slightly more difficult than getting qualified military staff, he said.
Part of that is, no doubt, down to increased levels of security vetting involved. After all, they don't want another Snowden in the ranks. ®