Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/6/2016
03:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

NSA Director Not Opposed To Splitting Cyber Command From Agency

In the long run it may make sense to keep nation's cyber offense mission separate from NSA, Michael Rogers says.

Admiral Michael Rogers, the director of the National Security Agency (NSA) this week said he is not opposed to the idea of separating US Cyber Command from the spy agency.

Speaking at a forum organized by the John F. Kennedy Jr. Forum at Harvard University’s Institute of Politics, Rogers said any decision to separate the two organizations would have to be made by the President of the United States. But he would support the idea so long as it did not introduce any new risks.

“Look, in the long run I think it is the right thing to do,” Rogers said. “The only question in my mind is the timing. We have to do it in a way that minimizes risk to Cyber Command and NSA,” said Rogers who as director of the NSA is also the head of Cyber Command.

US Cyber Command was established seven years ago to provide a range of mainly offensive cyber capabilities for the US Department of Defense.

The organization is structured along the lines of a typical military organization. One of Cyber Command’s missions is to provide capabilities for defending weapons systems, platforms and data against cyber attacks. On the offensive side, it is tasked with providing US operational command and policy makers with what Rogers described as a range of “options” for taking cyber action against foreign adversaries.

One of its other roles is to provide capabilities for protecting US critical infrastructure targets and commercial entities against cyber attacks, if directed to do so by the president. For example, soon after the massive intrusion at Sony Corp. two years ago, the NSA was called in to assist the FBI, the DHS and other domestic law enforcement agencies in investigating the attack.

Rogers’ comments come amid reports of the Pentagon and the intelligence community recommending that the President break up the joint leadership structure that exists today for the NSA and Cyber Command.

Apparently, there is a growing feeling that the missions of the two organizations are different enough to merit a different organizational structure. The argument is that Cyber Command with its offensive mission would do far better as an independent organization than as part of the NSA, whose mission is primarily a defensive one.

Concerns over the dual-hatted role of the NSA director are not new and neither is talk about the need to separate Cyber Command from NSA. Many have previously noted that the NSA director’s obligations to the agency’s signals intelligence mission under Title 50 of the US Code are in direct conflict with his cyberspace obligations under Title 10 authority.

In addressing the issue at the Harvard forum this week, Rogers said Cyber Command was established within NSA seven years ago because it made the most sense to do so at that time.

The US had decided then that cyber was an operational domain in which new capabilities needed to be developed, Rogers said. “We stepped back and asked ourselves ‘how do we build on previous investment and previous expertise’,” in the cyber domain within the defense department.

The NSA, with its cyber capabilities was the obvious choice, he said. “While NSA is an intelligence organization, it is a combat support agency within the DoD” with extensive cyber capabilities, Rogers said. The feeling at the time was that setting up Cyber Command within the agency would give the US a way to leverage that capability, he said.

“It is now seven years later and we are currently, as we often do, stepping back and asking ourselves does that structure still make sense?” Rogers said. “Has seven years of practical experience led us to believe that perhaps some of the assumptions we made are proving to be different than we thought.”

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...