Mike Rogers
Michael S. Rogers is a former United States Navy admiral who served as Commander of the Tenth Fleet and Second Commander of the United States Fleet Cyber Command, with responsibility for all the Navy’s cyberwarfare efforts. (USCYBERCOM). He concurrently served as the 17th director of the National Security Agency (NSA) and Chief of the Central Security Service (CSS).
00.26
[Applause] [Music] so [Music] cyber warfare has been called america's
01.00
greatest threat by leaders in every major department of the u.s government mike rogers is our most recognized expert on this subject bar none he's a four-star admiral he served as commander of the 10th fleet and second commander of the united states fleet cyber command with responsibility for all of the navy's navy's cyber warfare efforts he concurrently served as the 17th director of the national security agency and as chief of the central security office during two different united states presidencies please welcome admiral mike rogers [Music] thank you thank you all right well good afternoon everybody and let me start by apologing i did not do slides and normally i would have but quite frankly i have just been inundated with russia ukraine for the last two weeks and i have just been head down totally focused on that so please accept my apologies as you heard
02.00
i i think part of my challenge in the next 20 minutes is we heard about the power of possibility this morning and we heard about the strength of innovation and how some amazing people are doing things that are going to make our society better improve the quality of our lives the duration of our lives and yet i'm going to spend some time talking to you about something that potentially plates as much of that at risk we're to get really really bad so i want to talk to you about cyber war now the first comment i make is we need to kind of agree as to what the definition of cyber war is there is no established definition that i could find there was certainly none in the government when i was in and the two presidents that i worked for directly on this subject uh we would often go back and forth about so mike what is it what is it not so let me read this is how i define it i define cyber war as the unauthorized penetration of a computer or a broader network by a nation state or for a nation state for the purposes of destroying denying disrupting or degrading the connectivity or
03.02
functionality of that computer that network or the data it contains so there's a couple important points of that uh act of war from a legal definition that is a nation state that that is not necessarily criminal activity so we'll talk a little bit about ransomware and how that has been that's not really what i would i would define as cyber war first let me start with a little history because one of the things i always try to remind people is look if you want to know where we are and where we're going you should spend some time thinking about where we have been because where we have been has in no small part shaped the one of the reasons why we got multiple challenges today so we first actually come up with the idea of an automated machine that ultimately we call a computer in 1936 by an individual named alan turning who helps break the enigma codes in the nazis in the second world war we developed the first if you will computers or at least electrical devices
04.00
in the 1950s but remember they are the size of rooms they are so large they are only in offices and buildings individuals don't have computer access at home the next kind of milestone that i would highlight is 1969. the department of defense articulates a requirement for for what ultimately becomes the internet this connectivity if we if you will that we've created globally it's important to remember what we did and what we did not do with that internet we did not design security as a core design feature why because in 1969 where the department of defense initially came up for this with this requirement the thought was who would be interested in getting into an unclassified network with open information why would we need to worry about that and so security was not built into it in the 1980s we get the first desktops so computers now go from these really large
05.01
complex i'm sure many of you i am of the age i wrote my computer programs in college on cards you had the log time to get this to the computer center um in the 1980s we get the first desktops in the 19 in 1991 we create the world wide web that's important because now we take the internet and we scan it to a global scale and we come up with an address scheme that now enables us to literally bring on board tens of billions of entities that enables the expansion that we've seen in the 1990s we get the first laptops so now we've got computer mobility we can actually take computers with us in the 1990s cell phone technology matures to the point where it's not a brick that we can only keep in a car or we've actually got to put in a bag and carry with us it's a small enough handheld device that it truly is mobile and we carry it on our person um in the 2000s we start to get smart phones and what's important about that is our phones are now digital devices they're
06.02
not just the ability to call someone they give us access to a broader global connectivity and a set of capabilities and with that we actually develop software apps so now we've got functionality that we can access on the phones we then in the 2015 era i would argue we get in we start to get into the age of hyper connectivity we literally are starting to collect connect all of these devices all of this fixed infrastructure all of this connectivity is now all tied together that's important because the positive side is it gave us great increased functionality and speed the flip side is it gives us massive vulnerability because now everything simplistically and combined with the internet of things everything is tied together everything is connected it is really hard to quote isolate in the digital world whether you want to do it as an individual you want to do it as a company in an organization
07.00
or or we try to do it as a government i mean i will tell you for example i have been asked in my previous professional life you know mike could we isolate country x off the internet you know is that something that would be possible is that an option for us and i i would tell you that is you can certainly have impact but doing something totally is really challenging the last technical piece i would highlight is 5g we're in the midst of installing 5g mobile or cellular capacity around the world 5g takes a phone and turns it truly into this massive digital network 5g technology will power things like autonomous vehicles because remember autonomous vehicles need constant access to data and you're remotely monitoring the vehicle to do that you got to have a network structure that is speed connectivity and can actually take the capacity of this that is what 5g does it
08.01
is a total game changer from a technology standpoint so we talked about systems let's talk about individuals real quick in the 1980s now it's the first time you really start to get hack what we call hacking anybody remember the 1983 movie war games what is it it's a kid in the 1980s hacking is largely the acts of individuals and it's generally about well let me show you what i can do it's a way to show others what you're capable of it's not viewed so much as well this is a weapon it's a means for me to destroy degrade deny like i said in the 1990s nation states start to discover the power of cyber as an espionage tool can we penetrate foreign networks and extract information and again being very honest and direct that is what the national security agency does for our nation we penetrate among other things foreign networks and we find information that we believe
09.01
significantly impacts the security and well-being of our nation and our friends and allies and we extract it and we share the insights with our elected leadership our military and our friends and allies around the world in the 2000s you start to see nation states view cyber as both a weapon and an economic tool according to media reporting we have this thing called stuxnet where for the first time you see a computer software program that is designed to physically destroy infrastructure in iran associated with the development of nuclear weapons at the same time in the 2000s you start to see particularly china view cyber as an economic tool i can penetrate networks and i can extract and steal intellectual property that gives me economic advantage saves me a fortune in research and development and compresses my development timelines so if i'm worried if i'm looking at
10.00
doing deep sea oil exploration in the south china sea and if i can steal deep sea drilling oil technology i've saved myself billions of dollars in a lot of years um also i would argue you saw in the 2010s criminal groups really start to emerge it's not that they weren't there before but they come to a whole level criminal groups why they're focused on revenue they view cyber as a tool to extort to generate money so think about it now we've got individuals who have been hacking we've got nation states who view this as a way to potentially gain advantage and now we've got criminal actors who view this as a way you know i can really generate money on an unsurpassed scale depending on what standard we you use in 2020 the last complete year of data i've seen ransomware generated almost three trillion dollars around the world so the penetration of computers by criminal groups has become massive
11.01
massive business and at the same time in the 2000s you saw nation states literally almost every nation in the world is investing in cyber so massive increases in capacity and capability everybody's raising their game i mean i constantly in my previous life always asked who are the ones we should be concerned about who has the most capacity i i would argue our advantage here continues to erode everybody's knowledge just keeps going up and then in 2022 the pandemic hits and from a cyber perspective it has a massive impact why because now we are all dispersed we're away from the office and even if we're using an office supply computer it is still using your home router for example and suddenly we have blurred the difference between what is work infrastructure and what is home infrastructure and we're all suddenly using the same infrastructure for our children to game for our children to go to school
12.02
for adults to do their jobs to do work for us to maintain contact with our families and friends around the world in the middle of a pandemic we start to blur the lines between what is work and and what is personal and a lot of cyber actors are taking care of that so let me focus then on where we are in 2022 and why i think what is going on in russia and the ukraine is going to be a watershed in cyber warfare and why i would argue you're seeing some things unfold right now they're going to shape the future for us as individuals for companies for our governments and for the broader world around us so first what are you seeing cyber has been a significant element of both the russian and ukrainian efforts both to inflict pain on the other as well as to defend themselves both actors have turned to
13.00
external groups both the russians and ukrainians have said hey look we are going to create patriotic hacking groups these are non-government non-military non-state security individuals who will come and will work with us to increase our cyber capacity and cyber capability you're seeing criminal groups in russia talk about how they are going to come on side on the side of russia with respect to the application of cyber you're saying nation states as i said turned to surrogates we talked about into individual groups but look at what industry is doing you are watching industry and i don't mean this as a criticism this is just an observation you are watching industry apply their capabilities to help these nation states in the middle of a war it might be you're an elon musk and you want to ensure that ukraine continues to have connectivity because if the internet goes down you want to use satellite access so
14.01
you're providing tools for them to do that you look at i could probably name five major companies off the top of my head in cyber security that are currently right now doing cyber security work with the ukraine and i know of about three major russian cyber security firms right now that are doing cyber security work for the russian government in the middle of the war so you're just seeing a whole new ecosystem all those trends that i talked about that broader technology i talked about it is all starting to come together now the lines are really blurring it's getting harder and harder to tell who the actors are what's their objective and and what are they trying to achieve i want to highlight four specific things i think because i'm mindful i i don't want to go long i want to highlight four specific things that i think are significant implications of what's going on in ukraine and russia with respect to cyber the first i believe for the first time in the coming weeks and months you will see businesses the private sector will become targets in an economic war
15.03
businesses historically were penetrated for cyber purposes for intellectual property as a target of espionage particularly if they worked within the defense or security sectors or high technology sectors or they were viewed as a ransomware target a revenue generation opportunity they were not generally viewed as a target in a broader war i think that's changing and so uh you know literally i was up at zero two this morning talking to a company in eastern europe because it's the morning over there um about what are the implications for them for a transglobal corporation as they're trying to figure out what are the implications in all of this so business is a target if that's true then it starts to ask questions in our society so what is the role of the government then does that change the government's responsibility because right now we largely say cyber security
16.00
is a personal or a corporate function it is not something the government assists you but it's not the government's not responsible for it the government doesn't create it you the private entity you the individual are responsible the second thing i would highlight is i the initial targets i think that you're going to play out over the next few weeks government businesses but there will be an individual component to this because the russians in particular are looking at who is speaking out against them who is donating money in support of potential adversaries for them who are leaders within corporations that are pulling out their businesses from russia there will be an individual peace to all of this i also believe in the next few weeks you are going to see the russians use cyber as a tool to create economic pressure in the west because remember the russians right now dealing with a series of global sanctions that the world has never seen
17.00
before if you're the russians you don't have a lot of tools available to cause similar economic pain in the united states and in these broader nations that are executing these sanctions cyber becomes an attractive tool if i can degrade destroy deny disrupt critical infrastructure power connectivity financial energy distribution aviation the things that we take that for granted every day that enable us to live these incredibly complicated but incredibly productive lives um we need to be ready if they decide that they want to start disrupting that and the fourth and final point i would make is we need to think about unintended consequences because we have never seen cyber applied so broadly in a war as we are watching unfold in the ukraine and one of the things that worries me about all these surrogate groups they are not so worried about second and
18.01
third order effects they want to cross as much pain as they can the greatest cyber event arguably in terms of global impact and cost is not pecha june 2017 the russians decide they want to use a supply chain attack to go after the infrastructure in the ukraine except the technique they use ends up proliferating the malware or malicious software programs that they write and suddenly that malware is being found all over the world so we've already seen a nation that quite frankly does not really concern itself so much about limits and secondary damage all they seemed to care about was hey did it have the impact on the ukraine we wanted if it had a global impact oh well that's just another added benefit but not pecha depending on the source you want to use costs the broader global community anywhere from 3 to thirty billion dollars and disrupted global economic activity
19.00
to some degree much less in the united states much more in asia and eastern europe for anywhere from weeks to months think about all these patriotic hacker groups that are out there i i you know i worry how much are you concerned about unintended consequence here as an individual who used to do this for our nation one of the things that was always you know was pounded into me from our nation's leadership and i always made sure the team understood we want no unintended consequences if we're going after a target in cyber it only affects that target and it only has the specific effect we want we don't want something that's going to get out of control we don't want something that's going to proliferate we don't want something that's going to have broader impact i worry that many of these partners or players in this whole thing don't have that same sense of concern that could very much be a challenge for us lastly i want to talk to you really quickly about the idea of resilience
20.00
the reality is i i spent 20 years as part of teams that both penetrated networks for living and defended networks for a living and i have managed to fail at times in both categories um on the defensive side a couple times very publicly where for example we acknowledge the russians got into our unclassified a portion of our unclassified pentagon network and the team that i was leading we were responsible for driving them out i always try to remind people look given this hyper-connected world in which we live in given the probability that we will have activity that is not only directly is not only directed specifically against us but we may be the unintended victim like that not petra scenario i talked about we as a society must be resilient our standard cannot be there can't be any issues or impact in cyber if that's the standard we apply i guarantee you as a nation we are about to be very frustrated my attitude is and what i always try to
21.01
tell our nation's leadership and the teams that i led what we need to focus on is cyber resilience and our ability to recover and our ability to sustain activity in the face of these kinds of cyber events it's about how quickly can we restore it's about how quickly can we bypass or develop alternative capability that takes time that takes thought and there's a also an idea here of you know our resilience as a society we're not used to this idea of potential significant disruption it's just not what what we're used to um you saw a taste of this potentially with colonial pipeline it's hard to believe that's almost a year ago a ransomware attack against the single largest distributor of refined petroleum products which addressed 45 they were the source of 45 percent of the distribution of gasoline products between houston texas and the new york area they took themselves offline because
22.00
they had a ransomware event that lasted about seven days and you had people going to gas stations and putting gasoline in plastic bags not only is that not a safe practice it also isn't going to work guys you do know that gasoline eats through plastic but in any event i i just i see things like that and i think to myself guys as a society we've got to be smarter we've got to be more resilient here we have learned how to deal with pain before in our history i believe we can do it um and we've got to be ready for it and with that i thank you very very much for your time and thank you for being here today [Applause] can i ask you a couple of questions that was a remarkable uh and and highly sobering uh presentation uh to state the obvious i i wonder if you have been surprised that so far the russians have not used the cyber front in ways we have
23.01
heard about uh in the face of what i am sure both the russian people and the russian government think are highly cyber oriented provocations checked by the united states in the west so it's funny you say very sobering literally the two presidents i work for would always say if mike calls it is generally a bad day so i went to them with something i was surprised we didn't see it but as i look back here's why i think we have not seen as much number one the russians were way uh they totally misjudged i believe they thought it is 72 to you know it's 48 to 72 hours for us to get in we're going to be very successful the same infrastructure that we might potentially degrade or destroy through cyber guess what when we assume power in the ukraine we're going to need it to disseminate information to the populace we're going to need it to coordinate hey don't touch the infrastructure again i think they thought we're going to get in
24.00
there so quickly we'll just use it secondly i think their their calculation was we do not want this to broaden into a conflict bigger than the ukraine if we use cyber significantly outside of the uk because there is a lot of activity going on in the ukraine some of it's not getting a lot of attention but there's a lot of stuff going on i think their calculus also was there's a real downside in the beginning to using cyber more broadly in the united states and in the west what changes and why i tell you look i think in the coming weeks and months that dynamic is going to change i think putin is now in moscow and he said or sochi his villa down in the south and he says to himself this has gone worse than i thought it would the political the economic pressure i'm dealing with is greater than i thought it would be and the cohesion of the nation's arrayed against me is much tighter than i thought it would be therefore i need to ask myself what tools do i have to cause economic pain to the west with
25.01
the view that perhaps they'll back off i need to cause political disunity so that the populations in those western nations will go to their elected leadership and say hey i don't think it's a good thing that the russians are invading the ukraine but i i didn't sign up the five dollar a gallon gas i didn't sign up to disruption and other things i believe that the russians are going to be asking themselves how do we create so in light of what you just said which is the idea that it is improbable that this these kinds of cyber incursions are going to proliferate what at what point does that then cross the line into being an act of war what then is the response of the united states and the allied countries to that and it and and and what form would it take so in two ways one of the million dollar questions there is no accepted international definition either legally or from a policy
26.00
perspective as to what an act of war is within the cyber arena we have had cyber activity go back to sony 2014 the north koreans launched two malicious viper malwares that end up literally destroying the computer system of a private company sony motion picture entertainment because this company develops a movie that is a character of the beloved leader kj you in north korea and they launched a cyber attack and i mean i was part in the sit room and the oval talking with this about president obama about what what does this mean what it was going to do we opted the policy decision was well we're going to treat it as a legal issue the theft of intellectual property the breaking and entering if you will so there's no defined agreement it is interesting nato has already publicly said prior to this event and they've reiterated it a significant cyber act against any nato nation potentially trips the article 5 mutual defense portion and may be con can
27.02
identified by the alliance as an act of war in which the alliance will respond now the alliance then also says the actual determination will be based on the specifics of the events the specifics of the effects the specifics of the target so that's kind of where we are the u.s that's kind of our position so depending on the specifics of the event the specifics of the target uh and the effects at what point does the response of the allied nations move from the cyber arena to the kinetic warfare arena or does it that would have to be a really that would be a really high threshold because part of the challenge here again in my previous life you always were concerned and the nation's leadership was always concerned you do not want to escalate the situation into a broader confrontation whether it be in cyber or whether it be in a kinetic you know shooting down planes and dropping bombs you do not
28.00
want to broaden this into a broader conflict between the united states and russia the the the stated goal of the alliance in our nation is we want to contain this to the ukraine we want to apply enough pressure that we convince putin that he needs to be that he needs to back off and he needs to pull out but we don't want to apply so much pressure that we destabilize the situation and he believes for example his back is against the wall i've heard a couple people and some of the things i do he's got to go and i'm sitting here thinking so you're advocating regime change do you know what what the implications of regime change as a stated policy objective are that totally changes this dynamic if putin thinks the goal is to drive him out of power how do you think his risk threshold starts to look he will really go to the wall so i always encourage people look guys we need to put enough pressure to get him to change his calculus but we do not want to put so much pressure on this that he truly starts to believe that he's got no options in his backings
29.00
against the wall he's already rattled the nuclear saber to us you don't want him going beyond that you don't want him getting into things like i'm going to do destructive cyber against the power grids around the world or i'm going to try to take out the financial networks around the world the more cornered and the more threatened he feels the more d stable right that's my statement i'm just giving you my opinion final question do we know where putin is we have a f i won't go into specifics but generally for the variety means we have a fairly consistent idea of i'll take that just the way you mumbled it there you go mike rogers thank you so much thank you very much thanks