The director of the National Security Agency and Commander of the U.S. Cyber Command, Admiral Mike Rogers said that in 2014, 91 percent of software vulnerabilities discovered by the NSA were publicly disclosed.
He made the comments at the Reagan National Defense Forum Nov. 7, where a gathering of national security officials discussed the various digital threats facing the US.
Charlie Savage, correspondent for the New York Times and moderator for the event, asked the panelists whether zero-days — software vulnerabilities of which the public and proprietors are unaware — the government finds should be hoarded and weaponized or whether the government should tell a company so the exploit can be fixed. (RELATED: New Russian Hacker Exploit ‘Most Significant Cyber-Espionage Threat’ To US, NATO Partners)
Admiral Rodgers wanted to quash any lingering questions regarding the NSA’s position on software vulnerabilities. “First, there shouldn’t be any doubt in anyone’s mind that the direction clearly to us within the US government structure, is a preference to disclose vulnerabilities. Because a secure Internet is in the best interest of our nation and the broader world around us.” (RELATED: Wikipedia Sues The NSA To End Mass Surveillance)
He then went on to claim the agency only keeps about 9 percent of exploits they discover.
Rogers explained that the NSA’s general protocol when deciding whether or not to withhold an exploit is based on the value of the insights the vulnerability generates and what the total price will be for not sharing the vulnerability.
Rogers said the government is “not going to hold on to things just theoretically” and that there has got to be value in the exploit. With respect to the cost of not sharing, the agency evaluates how broadly the vulnerability is deployed, what economic impact it will have, and what the impact on businesses will be.
Rep. Michael McCaul, chairman of the House Homeland Security Committee, agreed and added that the trick is getting the private sector “to expose and share threat vulnerabilities,” but he was quick to recognize that without “liability protections, companies are not incentivized to do it.” (RELATED: Flashback: FBI – No Way To Vet Incoming Syrian Refugees [VIDEO] Photo of Kerry Picket)
Software vulnerabilities were one of several topics addressed at the Reagan Forum. Savage also asked the panelists about the challenges in identifying and deterring the actors engaged in cyber attacks against the US.
Rep. Adam Schiff, Ranking Member of the House Intelligence Committee, plainly stated the U.S. doesn’t “have much of a deterrent, and this is the area where I think we are farthest behind.” He specifically recalled the Sony hack committed by the North Koreans on Nov. 2014. (RELATED: Tech Cybersecurity Firm Identifies Six In Sony Hack — One A Former Company Insider)
“If you look at North Korea’s attack on Sony, what cost did North Korea pay,” he asked the audience. The US is going to “have to think very creatively about how we establish deterrence in this arena.” (RELATED: North Korea’s Internet Could Be Under A Major Attack)
Marcel Lettre, the Department of Defense Acting Under Secretary of Defense for Intelligence, said that from a deterrence standpoint, the US goal is focused on: being able to deny adversaries the objectives they are seeking, being resilient in the face of a successful attack, and being able to impose heavy costs upon U.S. adversaries.
Doing any of that, of course, relies upon the U.S. government’s ability to adequately identify the perpetrator of the hack, a task made increasingly difficult as technology becomes more secure and more given to anonymity.
Lettre said he envisions by 2018, a “6,200 strong cyber force” that allows the Pentagon to implement deterrence strategies, while defending the U.S. digital infrastructure and networks.
Both Lettre and Schiff admitted that identifying specific cyber actors was a difficult endeavor, in part due to the risk of exposing an intelligence asset or acknowledging certain technological capabilities that should remain secret.
All of the panelists generally agreed that there exists sufficient legal authority for decision-makers to protect U.S. cyber interests. (RELATED: Federal Judge Stops NSA’s Mass-Collection Program)
Rodgers specified that the real question wasn’t about the amount of legal authority. It was whether the government has “the processes, speed and agility to deal with threats,” within the existing framework of the law.
An audience member asked the officials how privacy played a role in the larger efforts in the cyberwar.
Schiff noted that legislation in Congress has placed a premium on privacy with respect to cybersecurity. He specifically mentioned the progress made in the Cybersecurity Information Sharing Act, where an individual’s personally identifying information is now scrubbed by the private company and the government. (RELATED: Twitter, Other Tech Juggernauts Choose Privacy Over New Cybersecurity Bill)
However, Schiff said that the “mother of all privacy-security challenges” is the issue with encryption. (RELATED: FBI Asks Congress For Backdoor Access To All Cellphones For Surveillance)
“You have technology companies that are now encrypting their text message applications. You have devices now that are increasingly sophisticated in their encryption of the device itself…[intelligence gathering communities] are no longer having access to a great body of communications including those between very bad people,” he said.
Savage also asked the panelists what was their greatest cyber fear.
McCaul immediately said his worry was a destructive digital attack, where a denial of service attack brings “down things like power grids, like the financial sector, like the energy sector.” (RELATED: How Vulnerable Is The US Electrical Grid To Hacking?)
Rogers claimed that the manipulation of data, to the extent that the “digital underpinning that we have all come to rely on is no longer believable,” is his biggest fear. Rogers said adversaries tampering with data could result in decision makers unintentionally exacerbating problems, rather solving them, because the evidence used to substantiate decisions is flawed. (RELATED: White House Hiding Pentagon Report On Russia’s Breach Of Nuclear Treaty)