The director of the National Security Agency told senators Tuesday that he’s not received direction to go after Russian hackers at the source as intelligence officials say Moscow’s campaign of election interference is continuing into midterm season.
Adm. Mike Rogers, who is expected to retire this spring, described to the Senate Armed Services Committee what the cyberspace domain looks like today compared to when U.S. Cyber Command, which he also leads, was founded nearly more than eight years ago.
“Today we face threats that have increased in sophistication, magnitude, intensity, volume and velocity, threatening our vital national security interests and economic well-being,” he said. “China and Russia, who we see as peer and near-peer competitors in cyberspace, remain our greatest concern, but rogue regimes like Iran and North Korea have growing capabilities and are using aggressive methods to conduct malicious cyberspace activities.”
“Further, several states have mounted sustained campaigns against … defense contractors to scout and steal key enabling technologies, capabilities and systems. Our adversaries have grown more emboldened, conducting increasingly aggressive activities to extend their influence without fear of significant consequence,” he added. “We must change our approaches and responses here if we are to change this dynamic.”
Cyber Command will be elevated to a unified combatant commander when Rogers retires, and in April the NSA will start moving into a “state-of-the-art” integrated cyber center and joint operations facility at Fort Meade, Md. “This will be our first fully integrated operations center that enhances the whole-of-government coordination and improves planning and operations against a range of growing cyber threats,” the director described.
Rogers stressed that innovation and rapid technological development “demand competition and the ability to leverage all partners, including small businesses,” and said the NSA intends in the coming year to “create an unclassified collaboration venue where businesses and academia can help us tackle tough problems without needing to jump over clearance hurdles, for example, which for many are very difficult barriers.”
Asked about the challenge of multiple government agencies responding to a cyber intrusion such as Russia’s ops to interfere in U.S. elections, Rogers noted that “the time it takes to deploy a capability, the time that it takes to coordinate a response across multiple organizations when those well-meaning and hard-working organizations are existing in separate structures, that’s not optimized for speed.”
Ranking Member Jack Reed (D-R.I.) asked if Russia’s “ongoing campaign to steal and leak confidential information from our candidates’ political parties, to plan and amplified misinformation to social media, to break into state election board networks” is of “significant consequence to our national security,” whether Russia “will continue to conduct cyber operations to achieve strategic objectives unless they face clear repercussions,” and if Russia is “attempting to achieve a strategic objective by influencing U.S. public opinion and elections.”
“Yes, sir. I believe they are attempting to undermine our institutions,” Rogers replied.
“Now, aside from our intelligence agencies operating under a presidential finding, are there any other organizations other than the Cyber Command’s Cyber Mission Forces that have the authority and capability to disrupt Russian election hacking operations where they originate? Does the FBI, DHS, or the states, the private sector, have such authorities or capabilities?” Reed asked.
“You could argue probably only that the — again, there’s a legal aspect to this that I’m not the most qualified — but probably you’d argue some combination of DOD, DOJ has the standing authority in that regard,” the NSA chief replied.
“But the mission teams, particularly at the origin of these attacks, have the authority to do so?” the top committee Dem continued.
“If granted the authority. And I don’t have the day-to-day authority to do that. If granted the authority,” he said, confirming such authority came from the president through the secretary of Defense.
“Have you been directed to do so, given the strategic threat that faces the United States and the significant consequences you recognize already?” Reed asked.
“No, I have not. But if I could flesh this out, I’ll say something in open and unclassified, I’d be glad to go into more detail in the classified,” Rogers said. “Based on the authority that I have as a commander, I have directed the National Mission Force to begin some specific work. I’d rather not publicly go into that.”
Reed asked why the U.S. is “essentially sitting back and waiting” for Russia’s next cyber attack; Rogers said he wouldn’t characterize the U.S. response that way. But, he added, “it’s probably fair to say that we have not opted to engage in some of the same behaviors that we are seeing, if I could just keep it at that.”
“We are doing some things,” the director told lawmakers.
Sen. Bill Nelson (D-Fla.) noted that “there are a lot of us that feel like we are still being attacked and that we’re going to be attacked, particularly with regard to our elections, which we consider as critical infrastructure.”
“And let the record note that you nodded affirmatively,” he added. “So what’s the holdup?”
Rogers called the issue “much broader than the DoD, much broader than Cyber Command.”
“Department of Homeland Security is overall responsible for this particular election infrastructure within this segment — the private — that has been identified as critical infrastructure. They’re the sector lead,” he said. “In fact, I had this conversation with the secretary of homeland security within the last couple weeks about what we’re doing to try to generate insights and knowledge to try to help their effort in their leadership role.”
Nelson asked if the NSA needed “the commander” to say, “Go after and punish these guys that are trying to tear apart our critical infrastructure.”
“What do you need?” the senator added.
“I’d need a policy decision that indicates that there are specific directions to do that. And I would need — again, I’d have to tee up — the normal way we work this process, I would then be tasked to tee up some specific options. I’d rather not go into specifics of any of that,” Rogers responded. “And then they would be reviewed by the secretary, the chain of command. The secretary would ultimately make a recommendation to the president as what he, the secretary’s, view are here. And then based on that, we’d be given specific direction and specific authority.”
“So you need a direction and specific authority from the White House?” Nelson asked.
“The president ultimately would make this decision, you know, in accordance with a recommendation in my experience from the secretary of Defense and others,” Rogers explained.