NSA director: Detection trumps prevention

NSA's Michael Rogers made his comments about the ubiquity of cybersecurity threats as part of an effort to be more transparent about his agency's activities.

Cybersecurity professionals in government and the private sector would do well to shift their focus from trying to prevent cyberattacks to detecting and assessing them, National Security Agency Director Adm. Michael Rogers said June 3.

"I wish that we lived in a world where we can guarantee no one is going to access or gain entrance into our systems," he said at an event hosted by Bloomberg Government in Washington, adding that doing so "is becoming increasingly difficult."

The somewhat rare public comments from an NSA chief were meant to highlight the ubiquity of cybersecurity threats and Rogers' stated effort to be more transparent about his agency's intentions after the leaks of former NSA contractor Edward Snowden.

Rogers, who also leads U.S. Cyber Command, called transparency his greatest challenge as NSA director, a role he took over from Gen. Keith Alexander in April. Rogers said he intends to explain publicly, in broad terms, the rationale behind NSA's intelligence gathering.

Describing a hypothetical conversation with NSA employees, he said, "I need you focused on the mission and doing things right. Let me take the heat on the outside. That's what they pay me for."

After Snowden's revelations, which included the fact that NSA collected bulk phone records on U.S. citizens, officials have repeatedly stressed that the agency spies on foreigners, not American citizens. NSA must abide by legal restrictions when it comes across U.S. citizens' data in the midst of gathering foreign intelligence, Rogers said. He emphasized the point in an effort to dispel what he said was a public misconception about his organization.

"A broad dialogue about what we're doing and why is a good thing for us as a nation," he said. "I don't question that for one minute because as much as I am proud of being a flag officer in the United States Navy, I am also mindful I was a citizen in this nation before I ever started this journey in uniform, and when this journey is over, I just want to go back to being just another citizen."

Continuing his hypothetical conversation with NSA employees to boost morale after Snowden's leaks, Rogers said, "The outside world has...come to the conclusion that we have not, knowingly and on a broad scale, attempted to circumvent law or violate procedure. And yet I go home and my family asks me, 'Hey, what are you doing with my phone?'"

The NSA director said he had seen clips of Snowden's recent televised interview with NBC's Brian Williams in which the former contractor spoke of his previous IT work in the intelligence community. Asked to react to the interview, Rogers said Snowden came across as intelligent and articulate but also arrogant.

About the Author

Sean Lyngaas is a staff writer covering defense, cybersecurity and intelligence issues. Connect with him on Twitter: @snlyngaas.

Featured

Reader comments

Wed, Jun 4, 2014

Humans aren't perfect and they don't create perfect machines. There is no invulenerable system. Invulnerability is a relative term. Over time everything is vulnerable. Being able to detect quickly and mitigate when a gap has been discovered allows one to reduce the harm. While there is such a thing as hardening a system, it does not make a system invulnerable. Systems still need to be able to be built by humans, maintained by humans, and utilized by humans to perform a function. Systems also have physical requirements. All of these are threat vectors.

Wed, Jun 4, 2014

I guess if all you have is a hammer... There's plenty that could be done to improve security and better our defenses but seemingly endless spending on postmortem breach discovery greatly reduces the available budget for improving security. As an x-NSA employee and 25yr security veteran I am disappointed to hear this defeatist philosophy. And as an aside, affordable technology exists that would have prevented the Snowden incident but wasn't deployed due to cost constraints...case-in-point.

Wed, Jun 4, 2014 Jack Ring Arizona

Not shift their focus but broaden their focus to include making systems invulnerable, thereby complementing infusion prevention and quick detection.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above