When Adm. Michael Rogers took to the stage at RSA 2016, held last week in San Francisco, to discuss what the agencies under his charge were doing to combat cyberthreats and evolve, there were some lessons for state and local government in his remarks as well, if you listened carefully.
Rogers heads up the U.S. Cyber Command and oversees the National Security Agency and Central Security Service. While most of his keynote remarks on March 1 were about how his particular organizations were adapting, he also shared valuable insights that agencies at all levels of government would be well advised to make note of.
Rogers pointed to the need for organizations to better identify and classify the information they collect.
With the value of data seemingly increasing by the day, he said knowing what data is being held where is a key part of protecting it from nefarious actors.
“If we could take anything away from [the Office of Personnel Management (OPM)], and from Anthem, data in itself is an increasing commodity of interest to many, who have a strong desire to steal it,” he said. “We’re spending a lot of time in the department mapping; where are we holding [that] data?”
For state and local governments, without the vast resources and protections of the DoD or NSA, this inventory process becomes especially important.
As many panelists pointed out during the week-long conference, knowing what information is being collected and by whom is an often underestimated part of protecting valuable, and in some cases dangerous, data.
“This is not going to get better anytime soon." Rogers said. "And it’s going to require all of us to really do some hard innovative work because there are a lot of adversaries out there and their behavior continues to change."
The fact that technology is not standing still — or waiting for anyone — was also a key point made by the high-ranking national security leader.
Looking toward the future and anticipating potential challenges was another theme he referred back to several times during his keynote address.
With so many public-sector organizations relying on outdated legacy equipment, Rogers said there needs to be attention paid to fundamental security principles, and how secure networks are developed and maintained moving forward.
“How do you create a network in which defensibility, redundancy and reliability are core design characteristics?” Rogers said. “Because for most of us in the world we are living in, the networks we're all trying to defend, the systems we're all trying to defend, many were built in a very different time and place, when the idea of an external actor attempting to aggressively penetrate or gain access to those systems wasn’t a primary concern, wasn’t a primary design [criterion].”
Rogers said his respective agencies are looking to 2025 and working with industry partners to stay ahead of changes in the larger environment.
Though Rogers lives in a world of weapons systems, national security and intelligence gathering, his points about fostering a prepared and diligent workforce translate to any organization, public or private.
He was quick to point out that while technology is a major part of modern daily operations, it cannot meet the real-world demands without talented people to back it up.
“I always tell people, ‘Look, technology is a fundamental aspect of this problem, but it is not the end-all, be-all. And don’t ever forget the human dimension in this,’” he said.
The addition of the human element to the equation offers both opportunity and potential for problems, according to Rogers.
“Cyber is so foundational that every individual we’ve given access to a keyboard represents both a potential point of opportunity and a potential point of vulnerability. You can have the greatest defensive scheme in the world, but you can’t forget user behavior,” he said. “And so, part of our strategy about the workforce element is what is the kind of training and what do we need to ensure that every individual we’re giving access to on that network understands the implications of the choices they make?”
Preparing leadership is an essential part to success in this arena. To incite cultural change and a better understanding of actions and implications, Rogers said leadership must be trained and educated, and know what is expected.
Silicon Valley, namely Apple, has been in the headlines recently for its refusal to cooperate with FBI requests to unlock a cellphone at the heart of the December 2015 mass shooting in San Bernardino, Calif.
In spite of this particular case and the lack of agreement, Rogers said the private sector will continue to play an expanding role in government’s ability to meet mounting cybersecurity challenges.
“I believe the future is all about partnerships and all about integration,” he said. “We are not going to solve this within the government and within the Department of Defense specifically. It’s the power of partnerships and the ability to work together that, I believe, are going to generate the best outcomes for the department, for the nation and I hope for all of you.”
Rogers said the establishment of a working group to bridge the gaps between Cyber Command and the private sector is one way his agencies are starting a dialog to improve government and move past the more traditional transactional relationship.
“As much as I love the NSA, I am the first to acknowledge that I am part of a larger bureaucracy," he said, "and bureaucracy and innovation generally don’t go together all that often."
All of the technology and talent in the world won’t save you if you aren’t prepared for an incident. Rogers said trainings and real-world scenarios should be a core part of the organizational IT framework.
He repeated the “not if but when” mantra that's so commonplace in the IT world, and said that action plans need to be followed up with training to truly become part of the organizational culture.
Rogers went on to say there is no single answer to ever-increasing cyberthreats, and that technology alone will not be effective without its human counterparts.