WASHINGTON, D.C. — Over five years of U.S. Cyber Command operations, global movement of threat activity through cyberspace has blurred roles and relationships among government agencies, as well as between the public and private sectors and the real and virtual worlds, the Cybercom commander told a House panel.
Navy Adm. Michael S. Rogers testified March 4 before the House Armed Services Committee on cyberoperations and improving the military’s cybersecurity posture.
“There is no Department of Defense solution to our cybersecurity dilemmas,” Roger said in written testimony. “The global movement of threat activity in and through cyberspace blurs the U.S. government’s traditional understanding of how to address domestic and foreign military, criminal and intelligence activities.”
Similarly, he said, the public and private sectors need each other’s help.
“The U.S. government, the states and the private sector can’t defend their information systems on their own against the most powerful cyber forces,” the admiral said.
“We saw in the recent hack of Sony Pictures Entertainment that we have to be prepared to respond to cyberattacks with concerted actions across the whole of government,” he added, “using our nation’s unique insights and complete range of capabilities in cooperation with the private sector.”
Cyberspace is more than a challenging environment, Rogers said.
“It is now part of virtually everything we in the U.S. military do in all domains of the battle space and each of our lines of effort,” he said. “There is hardly any meaningful distinction to be made now between events in cyberspace and events in the physical world, as they are so tightly linked.”
Cybercom is growing and operating at the same time, he said, performing many tasks across a diverse and complex mission set.
Three years ago, the command lacked capacity, Rogers said. Today, new teams are guarding DOD networks and are prepared to help combatant commands deny freedom of maneuver to adversaries in cyberspace, he added.
Cybercom’s Cyber Mission Force, or CMF, was formed to turn strategy and plans into operational outcomes, the admiral said.
“With continued support from Congress, the administration and the department,” Rogers said, “Cybercom and its service cyber components are now about halfway through the force build for the CMF, (and) many of its teams are generating capability today.”
He added, “We have a target of about 6,200 personnel in 133 teams, with the majority achieving at least initial operational capability by the end of fiscal year 2016.”
Cybercom has been normalizing its operations in cyberspace, he said, to provide an operational outlook and attitude to running the department’s 7 million networked devices and 15,000 network enclaves.
The department’s legacy architecture, created during times when security was not a core design element, is being transitioned to a more secure and streamlined architecture that is part of what ultimately will be the Joint Information Environment, or JIE.
“While the JIE is being implemented,” Rogers said, “our concerns about our legacy architecture collectively have spurred the formation of our new Joint Force Headquarters to defend the department’s information networks.”
The Joint Force Headquarters recently achieved initial operational capability, the admiral added, working at the Defense Information Systems Agency under Rogers’ operational control at Cybercom. Its mission is to oversee the day-to-day operation of DOD networks, he added, “and mount an active defense of them, securing their key cyber terrain and being prepared to neutralize any adversary who manages to bypass their perimeter defenses.”
“It gets us closer to being able to manage risk on a systemwide basis across DOD,” Rogers added, “balancing warfighter needs for access to data and capabilities while maintaining the overall security of the enterprise.”
The admiral said the new headquarters is a stopgap measure while the department migrates its systems to a cloud architecture that’s more secure and facilitates data sharing across the enterprise.
As network security has advanced, so has the maturity of the cyber force, which has gained what Rogers called priceless experience in cyberspace operations.
“That experience has given us something even more valuable — insight into how force is and can be employed in cyberspace. We have had the equivalent of a close-in fight with an adversary that taught us how to maneuver and gain the initiative that means the difference between victory and defeat,” he explained.
Such insight is increasingly urgent, because every conflict in the world has a cyber dimension, the admiral said, adding that the command sees patterns in cyber hostilities that indicate four main trends:
• Autocratic governments that view the open Internet as a lethal threat to their regimes;
• Ongoing campaigns to steal intellectual property;
• Disruptions by a range of actors that range from denial-of-service attacks and network traffic manipulation to the use of destructive malware; and
• States that develop capabilities and attain system access for potential hostilities, perhaps with the idea of enhancing deterrence or as a beachhead for future cyber sabotage.
“We believe potential adversaries might be leaving cyber fingerprints on our critical infrastructure, partly to convey a message that our homeland is at risk if tensions ever escalate toward military conflict,” Rogers said.
Heartbleed and Shellshock
For instance, he told the House panel, “I can tell you in some detail how Cybercom and our military partners dealt with the Heartbleed and Shellshock vulnerabilities that emerged last year.”
The Heartbleed Bug is a serious vulnerability that allows attackers to steal information, usually encrypted, that’s used to secure the Internet for applications such as Web, email and instant messaging, among others. Attackers can eavesdrop on communications, steal data directly from the services and users, and impersonate services and users.
Shellshock is a vulnerability that gives attackers the ability to run remote commands on a system.
The admiral said these serious flaws inadvertently were left in the software that millions of computers and networks in many nations depend on.
Responsible developers discovered both security holes, Rogers said. They kept their findings quiet and worked with trusted colleagues to develop software patches that system administrators could use to get a jump on those who read the same vulnerability announcements and devised ways to identify and exploit unpatched computers, he said.
“We at Cybercom and (the National Security Agency) learned of Heartbleed and Shellshock at the same time that everyone else did,” the admiral said.
Military networks are probed for vulnerabilities thousands of times an hour, he added, so it wasn’t long before they detected new probes checking their websites and systems for vulnerabilities.
“By this point, our mission partners had devised ways to filter such probes before they touched our systems,” Rogers explained. “We were sheltered while we pushed out patches across DOD networks and monitored implementation,” directing administrators to start with the most vulnerable systems.
“Thanks to the efforts we have made in recent years, our responses … were comparatively quick, thorough and effective, and in both cases they helped inform corresponding efforts on the civilian side of the federal government,” the admiral added.
“We also know that other countries, including potential adversaries, struggled to cope with the Heartbleed and Shellshock vulnerabilities,” he noted.
Rogers said this operational approach must be built in many more places.
“The nation’s government and critical infrastructure networks are at risk as well,” he said, “and we are finding that computer security is really an enterprisewide project.”
The admiral added, “We in the U.S. government and DoD must continue learning and developing new skills and techniques … (and) the nation must continue to commit time, effort and resources to building cyber military capabilities.”