NSA's Rogers makes the case for cyber norms

Clearer international norms and concepts of deterrence can help prevent cyber conflicts from spiraling out of control, National Security Agency Director Adm. Michael Rogers told a crowd of cybersecurity professionals Feb. 23.

Those words might have sounded more familiar coming from a State Department official than the man in charge of the U.S. offensive cyber capabilities and its global intelligence-collection enterprise. But Rogers, citing conflicts in Georgia, Ukraine and Iraq, said nearly every recent war has had a cyber dimension to it, lending urgency to the need for "norms of behavior" and "concepts of deterrence."

A recently revealed NSA document underscores the potential of cyber espionage to escalate. The classified document, leaked by former NSA contractor Edward Snowden and published by The Intercept, reveals the NSA has been concerned that Iran’s cyber capabilities have improved because of a cyberattack against Iran itself. Tehran "has demonstrated a clear ability to learn from the capabilities and actions of others," the document states.

"Escalation is not something that is unique to the domain of cyber," Rogers said at a New America Foundation conference in Washington, D.C. "So, just as we have developed frameworks over time to help us address the issue of escalation in a more kinetic, more traditional world," the same will have to be done in cyberspace.

Rogers would not comment further on the Iranian revelation, nor a recent Reuters report attributing to the NSA a global cyber espionage program that has infected computers in more than 30 countries.

Asked to define a "cyber Pearl Harbor," a phrase used in 2012 by then-Defense Secretary Leon Panetta, Rogers replied: "An action directed against infrastructure within the United States that leads to significant impact -- whether that’s economic, whether that's in our ability to execute our day-to-day functions as a society, as a nation." He added that the hack of Sony Pictures Entertainment last November met that dire criteria. Movie studios fit into the U.S. government’s broad definition of critical infrastructure.

In succeeding retired Gen. Keith Alexander last year, Rogers became the second official to head both the NSA and the U.S. Cyber Command, the latter of which was formally set up in 2010. Cyber Command’s mission includes defending Defense Department networks and, when directed, carrying out attacks on foreign cyber assets. NSA’ mission includes global intellection collection and information assurance.

Some critics have taken issue with the two organizations' convergence. A technology and privacy review panel appointed by President Barack Obama in 2013 advised against having one official head the NSA and Cyber Command, but the administration rejected the recommendation.

Rogers defended the unity of NSA and Cyber Command as crucial to cybersecurity. "Given where U.S. Cyber Command is in its maturity and its journey right now, it needs the capabilities of the National Security Agency to execute its mission to defend critical U.S. infrastructure and to defend the department's networks," he said.