How should the United States respond to the threat posed by cyberattacks? Admiral Michael Rogers, the new head of the National Security Agency, said yesterday that it should focus on improving its offensive capabilities to deter others from attacking it.
The remarks were made in front of the Senate’s Armed Services Committee. As the New York Times reports in its piece on Rogers’ appearance before the committee:
When pressed, Admiral Rogers said that erecting ever-higher digital fences would never be enough, and that ‘we have got to broaden our capabilities to provide policy makers and operational commanders with a broader range of options. Because in the end, a purely defensive reactive strategy will be both late’ and would become ‘incredibly resource-intense.’
‘So, I have been an advocate of, we also need to think about how can we increase our capacity on the offensive side here, to get to that point of deterrence.’
Rogers doesn’t want America to speak softly and carry a big stick. He wants the country to remain silent while it wields a cudgel with which it can clobber its foes. Why focus on defense when you can just scare the bejesus out of other countries?
Here’s one reason: The NSA isn’t the only intelligence agency capable of exploiting vulnerabilities in technologies used around the world. And if it keeps these issues secret so it can exploit them, other countries could also take advantage of them.
This argument has been made before. As I wrote after Edward Snowden discussed the problems with our cyberwarfare strategy in an interview with James Bamford:
The NSA has been roundly criticized for reportedly stockpiling exploits which allow it to gather information from networks in the US and within other countries, because it means the problem might never be fixed.
The government has denied claims that it collects these vulnerabilities, but it has said there are exceptions, and a program revealed by the Intercept called AURORAGOLD further disproves the notion that the NSA isn’t intentionally keeping security holes secret.
No security vulnerabilities will ever remain exclusive to the NSA. Someone else will always discover them, exploit them, and undermine Rogers’ argument that focusing on offense will deter other intelligence agencies from launching attacks of their own.
Rogers doesn’t have to build a bigger wall. He just has to stop the NSA from poking holes — or at least keeping silent when it discovers existing holes — in the ones that have already been built. That’s not prioritizing defense; it’s deciding not to sacrifice the country’s security with the misguided belief that it benefits its offensive abilities.