Crossroads Blog | CYBER SECURITY LAW AND POLICY

critical infrastructure, cyber attack, Cyber Command, Cyber Exploitation, industry standards, Michael Rogers, NSA

US Control Systems Have Been Hacked By Nation States – NSA Director Warns “This Is Not Theoretical”

“The cyber threat is real, this is not theoretical.” – National Security Agency Director Admiral Michael Rogers.

At a hearing in Washington today of the House Intelligence Committee, National Security Agency Director Admiral Michael Rogers discussed the nation’s cyber vulnerabilities.  Roger set out the three missions of the US Cyber Command: defend DOD’s network, generate a cyber commission force, and provide DOD capability to defend critical infrastructure.

According to Rogers, multiple nation states have already developed the capability to shut down our industrial control systems.  Specifically, this means that these nation states can shut down or forestall the control systems that control our water, power, financial systems, and aviation.  Not only that, Rogers states that these nation states have already been discovered hacking into these systems.

Nation states are not the only actors with the capability to launch a cyber attack.  According to Rogers, organized crime groups also pose a risk to our nation’s security.  These groups penetrate systems to gain information that they can sell on illegal markets.  Rogers predicted a terrifying future  trend: nation states using these groups as surrogates to create plausible deniability.

Rogers pointed to the absence of international norms in cyberspace as reason for our expanding cybersecurity risks.  According to Rogers, this deficiency has resulted in the appearance of an online world without consequences.  When Congressman Jim Hines asked Rogers what types of norms should be set, his first response dealt with emergency response.  According to Rogers, an emergency response norm would involve an agreement not to attack a nation’s emergency response capabilities.  Other norms mentioned by Rogers included norms protecting critical infrastructure, intellectual property, and anything else that could lead to loss of life or loss of control.

On the one hand, it is not surprising that it is taking time to develop these international cyber norms.  Rogers compared the current cybersecurity risks to nuclear risks during the Cold War, pointing out that the policy of deterrence did not develop overnight. However, Rogers also suggested that the current cyber threat presents additional problems.  While the execution of the nuclear threat was originally limited to a few nation states with the finances and power necessary to carry out that threat, the current cyber threat is not restricted by those obstacles.  In addition to nation states, groups and individuals are able to carry out cyber attacks individually.  Moreover, Rogers pointed out that unlike the nuclear model, developing the capability to perform a cyber attack is inexpensive.

For news coverage of the hearing: Business Insider, Washington Times, ABC News, Bloomberg.

Leave a Reply