SAN FRANCISCO -- The NSA is too big and slow to effectively fight ingenious cyber attacks without the help of Silicon Valley tech expertise, so it’s time to patch up relations between the two, the head of the NSA told a gathering of tens of thousands at RSA Conference 2016.
Attacks like the one that took down the Ukraine power grid last year can happen here – it’s just a matter of time, says Adm. Mike Rogers, director of the NSA.
Before that happens, NSA and private security experts need to come together, plan responses and practice them.
Rogers calls for the NSA and Silicon Valley to change what they’re saying to each other in order to come up with answers that best serve the country and figure out “what to do when we get penetrated,” which is just a matter of time. “We spend a lot of time right now talking about what we can’t do.”
Rogers was on a fence-mending mission after stolen data released by Edward Snowden showed that the NSA carried out bulk surveillance of U.S. telecommunications, which alienated many in the tech industry.
During his keynote address Rogers repeatedly said both sides have to overcome that rift. “I believe in what you bring to the fight,” Rogers says. “We are not going to solve this in the government.”
The sheer size of the NSA hurts its ability to come up with answers to cyber threats quickly, but Silicon Valley companies have the agility and skills to help. “Bureaucracy and innovation don’t go well together,” he says.
Rogers says he thinks both sides need to find a balance between privacy and the intelligence the NSA needs to gather. “Everything we do must comply with the law,” he says. “What we do is for the citizens and we need to be responsible to the citizens. … We need to set an acceptable level of risk. It’s time for us to all stop talking past each other.”
In order to persuade the audience, Rogers outlined the responsibilities of the NSA to defend Department of Defense networks, staff the agency with enough skilled personnel to carry out offensive and defensive cyber activity and defend critical U.S. infrastructure such as power and water delivery systems, financial systems and aviation.
He says he is fast-tracking a program to get a 6,200 person cyber-mission force fully operational by September 2018, but have parts of it up and running by September of this year. “We can’t wait for it to be perfect anymore.”
He outlined his three big concerns for the next three years:
- Attacks on U.S. critical infrastructure like the attack late last year against the power grid in Ukraine. The attack was sophisticated and meant to take down the grid, but the attackers were also observing how the power staff responded and tried to slow down restoration of services.
- Use of data theft to alter critical data so, for example, account information stored by banks is inaccurate. It could be used against the military, too, to corrupt intelligence used to make strategic decisions.
- Use of social media and other cyber tools by criminals to provoke destructive behavior, similar to how nation-states use it to recruit membership to extremist groups.
Sign up for CIO Asia eNewsletters.