US Navy Vice Adm. Michael Rogers testifies Tuesday on his nomination before the Senate Armed Services Committee. (Agence France-Presse)
WASHINGTON — When Army Gen. Keith Alexander submitted written answers to questions for his confirmation hearing to head the newly created Cyber Command in 2010, he avoided publicly answering all or part of 29 questions, instead providing his responses to Congress in a classified document.
The hearing itself largely consisted of a series of senators heaping praise on the general.
When Vice Adm. Michael Rogers stopped by the Senate Armed Services Committee (SASC) on Tuesday for his confirmation hearing to succeed Alexander, he delivered written responses to a similar set of questions that were quite different. Not once did he invoke the need to provide answers in a classified format.
It was just one example of how Cyber is being treated differently in the last four years as it has gained prominence and been somewhat unmasked by the Edward Snowden disclosures. Obama administration officials have begun to lean toward transparency to allay concerns about the growing Cyber Command arsenal and its ability to scoop up information on Americans.
Rogers’ hearing, while containing some skeptical questioning from senators because of Rogers’ recent appointment to head the National Security Agency as well, was civil. Despite predictions from some that there would be fireworks, there were few.
But because Rogers has largely remained behind the scenes, rarely giving interviews during his time as head of the US Navy’s cyber force, his nearly 50 pages of answers provide a rare glimpse of how he views the top cyber job.
While the scrutiny of the dual-hatted NSA/CYBERCOM (Cyber Command) job may have increased, there’s one common thread between Alexander’s and Rogers’ answers, despite the four-year gap. There’s still a lot of work to do to sort out how and when Cyber Command weapons and tools are to be used.
“The U.S. possesses superior military might across all warfighting domains, cyberspace included,” Rogers wrote. “In truth, however, there has been no large scale Cyber conflict yet in history, and the state of strategy and execution of Cyber warfare is evolving as we speak.”
Alexander noted that back in 2010, the Defense Department was hard at work developing those strategies, but in several areas, including the rules of engagement, the administration has seen delays as complicated policy that had never before encountered a borderless realm like cyberspace is brought up to date.
Both Alexander and Rogers were careful to define what often is described as “attack-back” capabilities, or using offensive tools to go after an attacker after they have commenced an attack. In DoD parlance, any such activity is by its nature defensive.
When asked if the U.S. could legally use “offensive Cyber weapons” to respond to an attack even if U.S. forces didn’t fully know who was behind the attack, both wrote yes.
“If the ‘attack’ met the criteria approved by the President in our Standing Rules of Engagement, the military would exercise its obligation of self-defense,” Alexander wrote. “Operationally, it is difficult to develop an effective response when we do not know who is responsible for an ‘attack’; however, the circumstances may be such that at least some level of mitigating action can be taken even when we are not certain who is responsible.”
Rogers was even more direct in his interest in maintaining the model of “self-defense.”
“I’d note that in such an event, U.S. Cyber Command would be employing Cyber capabilities defensively, in the context of self-defense,” he wrote.
The SASC’s ranking member, Sen. James Inhofe, R-Okla., has been a strong proponent of developing a more direct cyber deterrence policy. This approach has split cyber experts, who wonder whether such a model can function when cyber weapons need to be secret to be effective.
Inhofe raised the topic during the confirmation hearing, and Rogers answered several questions on the topic in his written responses.
Rogers wrote that work is being done to create a deterrence strategy.
“The establishment of U.S. Cyber Command is an element of a deterrence strategy, but more work and planning will be required to evolve a solid national strategy,” he wrote.
“Classic deterrence theory is based on the concepts of threat and cost; either there is a fear of reprisal, or a belief that an attack is too hard or too expensive. Cyber warfare is still evolving and much work remains to establish agreed upon norms of behavior, thresholds for action, and other dynamics.” Rogers wrote.
“A broad understanding of Cyber capability, both defensive and offensive, along with an understanding of thresholds and intentions would seem to be logical elements of a deterrence strategy, both for our allies and our adversaries, and as they are in other warfighting domains.
“I believe we’ll see much discussion of the structure and implementation of our Cyber deterrence strategy from DoD and Intelligence Community experts, along with Interagency engagement.”
While nearly everything Rogers wrote meshes with the cyber messages the Obama administration has been delivering for months, there is one area where he presented a strong case for change: elevating CYBERCOM to full unified combatant command status.
Two years ago, word leaked out of the Pentagon that CYBERCOM shortly would be moved out from under US Strategic Command, but then nothing happened. Last year, the Joint Chiefs of Staff chairman, Army Gen. Martin Dempsey, said he was comfortable leaving CYBERCOM where it was.
“I’m actually content, the way that we’re organized right now,” he said. “If cyber becomes such a dominant factor in military operations that it warrants elevating it to a unified command — by the way, I anticipate that happening at some point — but at this point, STRATCOM with its global reach responsibilities as well as its base responsibilities is also able to manage the workload,” Dempsey said.
Rogers, in his written answers, strongly advocated for that elevation. He said the current model delays responses in situations where presidential authority is needed.
“Cyberattacks may occur with little warning, and more than likely will allow only minutes to seconds to mount a defensive action seeking to prevent or deflect potentially significant harm to U.S critical infrastructure,” he wrote.
“Existing department processes and procedures for seeking authorities to act in response to such emergency actions are limited to Unified Combatant Commanders. If confirmed, as the Commander of U.S. CYBERCOM, as a Sub-unified Combatant Commander, I would be required to coordinate and communicate through Commander, U.S. Strategic Command to seek Secretary of Defense or even Presidential approval to defend the nation in cyberspace.
“In a response cycle of seconds to minutes, this could come with a severe cost and could even obviate any meaningful action. As required in the current Standing Rules of Engagement, as a Combatant Commander, I would have the requisite authorities to directly engage with SECDEF or POTUS as necessary to defend the nation.”
Whether or not CYBERCOM is elevated, it was clear that Rogers is taking a different tack. When asked about his intelligence experience and whether that would allow him to effectively perform the job of commander, Rogers wrote about his experience working with IT systems and developing capabilities.
Alexander’s response to ostensibly the same question?
“Answer provided in the classified supplement.”