The Blog

Cybercom Commander: Public-Private Partnerships Needed for Cybersecurity

Relevant links are at the bottom of this post.

WASHINGTON, Nov. 16, 2016 — The public-private cybersecurity partnership between private companies and U.S. Cyber Command and other federal agencies has been uneven so far despite some fledgling success, but collaboration is critical given growing threats to everyone from cyberspace, the commander of U.S. Cyber Command said here yesterday.

 Navy Adm. Mike S. Rogers, who is also director of the National Security Agency, spoke during the Wall Street Journal’s CEO Council annual meeting on the fight for global security in an era of borderless wars.

On the government’s ability to help industry during major cyberattacks, Rogers said it’s unrealistic to expect the private sector alone to withstand the onslaught of activity that is being directed against them by nation-states and other actors.

“Likewise,” the admiral added, “I don’t think it’s realistic to say the government’s just going to do this [by itself] because the challenge with the government doing it is, if you want me to defend something I can’t … defend a network if I … don’t have access to that network structure,” a level of outside access the private sector has resisted.

Critical Success

An exception to this was Sony Corporation after a 2014 Sony Pictures Entertainment hack of confidential data sponsored by North Korea.

Rogers said that a positive aspect of the hack was great collaboration among a private company, the private-sector computer network expertise that Sony brought in and federal agencies.

“They knew they were dealing with something [after the hack] so they went out and hired expertise and capability from within the private sector,” the admiral said. “They then came to the conclusion that this was something bigger than they had initially thought so they reached out to the government. I give them big kudos for that.”

Sony officials were “very up front” when they approached the government, he added, saying they asked for help to understand what happened and to make sure it didn’t happen again.

Providing Value

“We said, if you want us to provide value and insight we need full access to your network and your data,” Rogers recalled, adding, “They had no issue at all, just insure that you inform us of what you’re doing, why you’re doing it and exactly what you’re doing and you stick to that.”

It “worked out great,” Rogers said, and there was good information flow between Sony and the U.S. government response team, which consisted mainly of Cybercom, NSA, the FBI and the Department of Homeland Security.

“One of the reasons why the partnership is so important — using NSA resources to monitor and guard U.S. networks — that’s not our mission,” Rogers said in March 2015 in testimony before the House Armed Services Committee on cyber operations, “and it’s against the law … but on the other hand, I do want to create a partnership where we’re able to share information with each other.”

The FBI was designated as the lead agency, Rogers said, “and the FBI turns to NSA and says, ‘We could use your analytic help, will you partner with us in working with Sony?’” The admiral said Sony cooperated completely with the government during the investigation.

Significant Calamity

Rogers said that as director of NSA and commander of Cybercom, the agreement he always reaches with whoever they’re working with is that neither agency will use the data they gain for anything other than the exact purpose they’ve discussed.

“I don’t want it to get to the point where it takes some significant calamity to drive us to the conclusion that we’ve got to do something different than what we’re doing now,” the admiral added.

During Rogers’ remarks, the audience of chief executive officers participated an instant poll was taken on the question: Do you trust the government enough with your information to work with it during a cyberattack? The choices were: a) absolutely, b) only if my company is attacked, or c) never.

The result was that 56 percent said they “absolutely” trusted the government enough to work with them, 34 percent said only if their company was attacked, and 9 percent said “never.”

For Rogers, this was a positive result.

“Overall that’s pretty good,” he said.

“Less than 10 percent of you said that there were no circumstances under which [you] would consider doing this. From my perspective that’s a broad positive — that means there’s a willingness among 91 percent of you to have some form of dialog and to potentially look at [partnering with the government on cybersecurity] as a possibility.”