BALTIMORE, Md.–The chief warrior in the U.S. battle against the world’s cyber-bad guys is just as worried about having his personal data breached as any of us.
Also, like many of us, he admits to being a bit bewildered about how governments, enterprises and individuals can fend off insider attacks, DDoS events, zero-day exploits, malware and other security issues that have become as common as drinking water in this Age of Internet.
But Admiral Michael S. Rogers (at left in photo with Jeffrey Wells), chief of the U.S. Cyber Command and director of the National Security Agency, is convinced that through effective working partnerships among government agencies, the military, law enforcement and key players in the private sector, long-term solutions will be found in the ongoing efforts to secure personal and business data and keep it out of the hands of cyber-criminals.
Rogers on Oct. 29 addressed attendees at the two-day Cyber Maryland Conference here at the Baltimore Convention Center. About 1,000 stakeholders were registered. eWEEK was on hand both to cover the event and to moderate a panel discussion on Internet of things (IoT) security.
Because more than 250 companies and service providers are located in the Maryland-Virginia-Washington, D.C., region, it is fast becoming global ground zero for the cyber-security business.
Cyber Maryland Initiative Providing Leadership in Security Sector
Silicon Valley also has its indigenous security companies, but it also has so many other IT-related players that it simply cannot specialize the way Maryland can. Gov. Martin O’Malley, who also spoke at the Oct. 29-30 event, started the Cyber Maryland coalition initiative five years ago. Cyber Maryland promotes partnerships among government agencies, security software and services providers, educational institutions and security experts in an effort to drive innovation–and create jobs–in the sector.
“Securing the IoT is a huge issue for all of us,” Rogers said during a fireside-type chat with conference co-organizers Darin Andersen, founder and chairman of the San Diego-based CyberTECH, and Jeffrey Wells, executive director of Cyber Development in Maryland’s Department of Business and Economic Development. “Literally every person on earth is a sensor. We have billions of devices. It’s a daunting task.
“We talked about BYOD a year ago, and we’re still talking about it. From a cyber-security perspective, that’s a fundamental challenge–plus, it’s a society issue. I don’t think we fully understand this yet–the second and third order of effects [of securing the IoT], involving all this connectivity, all those devices and the public and the private interests. It brings amazing opportunities but also potential tremendous vulnerability. We’ve got to work our way through this,” Rogers said.
Advantages of Having All Those Connected Devices Are Great
None of us is going to walk away from the conveniences these devices provide, Rogers said.
“People on average have three to five or more connected devices; we will see many more in the future. How are we going to make this work, how are we going to secure them all? That’s for all of us to work toward,” Rogers told the audience.
As for the ever-present threats posed by numerous malevalent forces around the world, Rogers acknowledged that there is much more work yet to be done, but he believes the cyber-force he is building at the federal and military levels is up to holding its own. Then he integrated into the talk a hot news issue — the idea of the Ebola virus — that provided more food for thought.
“What if we had an Ebola-like challenge in the Internet?” Rogers said. “Not something actually infectious, but what if we had something equivalent to that in digital form, that could replicate on a global scale, with the potential ability to impact our information flow? That’s pretty amazing to me, but we’ve got to think about it.”
How NSA Director Wants to Build an IoT Security Coalition
Government, Enterprise Needs to Be Faster at Responses
Cyber-criminals move, attack, steal data and change addresses too quickly for the current status quo to continue. “People will say that we can just send Excel spreadsheets and email attachments to solve the problems,” Rogers said. “I say, ‘Are you kidding me?’ That’s not going to work for us.”
“As companies, governments and individuals continue to fear and deal with theft of their property by cyber-criminals, we have got to find a framework that we can use to bridge all the different players and bring them all together into one integrated team,” Rogers said. “The Congress is looking at legislation right now on this, and I think it’s critical for us as a nation. We need to adopt the great capability for both the private sector and the government to share information both ways, in near-real time, at machine speed, to fix our security apparatus.”
Rogers said that to make this collaborative process work, “we need to start big [with the largest corporations] and work our way down [to small businesses and individuals]. JP Morgan, for example, just committed to a $500 million investment into cyber-security; how many people can do that? I’m hoping we start with the largest companies with biggest resources and work it down.”
Could We Be on the Brink of a Cyber-War?
Andersen and Wells, citing several examples of commercial and governmental IT disruption by Middle Eastern nation-states and organized crime from places such as Russia, Eastern Europe and China, asked Rogers if he thought the United States may on the brink of a cyber-war.
“Clearly in government we’re trying to work through these things,” Rogers said. “What we need to determine is: What is the intent of the action? Is it just for access, or is it a criminal act? We have different thresholds for one thing or another. Is it a destructive action? Is somebody changing out data? Are they destroying infrastructure? They can do all of that. From a military standpoint, those are some of the nuances we look for.”
Part of Rogers’ responsibility is to actively continue to build the U.S. cyber-work force–within the government and military, with the help of the private sector.
“We’re not the ones who will come up with the innovation,” Rogers said. “We’re not going to invent the new security products and services. That’s going to come from the commercial sector, as it should. We’re willing to work side by side with anybody who’s got good ideas.
“Ten years ago, I was worried whether we could recruit and train a cyber-workforce. But we have been able to do that. We have an ethos, a culture of service that’s bigger than ourselves. We do something that matters. It is all of those things that will allow us to compete.”