Defense Secretary Hegseth has ordered U.S. Cyber Command to pause all planning regarding cyber offense against Russia. This controversial pivot in policy is sparking much debate in national security circles and among cybersecurity leaders and threat analysts.
Quantum Xchange had the opportunity to host former head of U.S. Cyber Command, Retired Admiral Mike Rogers as a guest on our most popular episode of Crypto Convos. As the work of U.S. Cyber Command makes headlines, we thought it an opportune time to reshare this riveting conversation with its former leader. Enjoy the brief synopsis below, or watch/listen to the full episode here.
The Overlap of Spies and Hackers
Admiral Rogers began by discussing his unique experience managing a diverse group of military and civilian personnel. His roles at the National Cyber Command and NSA required him to navigate the overlapping worlds of spies and hackers, highlighting the complexity and diversity of modern cybersecurity operations.
The Persistent Challenge of Software Vulnerabilities
The conversation quickly shifted to the topic of software bugs and cryptography, with a specific focus on recent vulnerabilities like the OpenSSL bug, reminiscent of the infamous Heartbleed. Rogers recounted his experience dealing with Heartbleed, emphasizing the challenges of identifying vulnerabilities and deploying fixes across extensive networks. Despite intellectual recognition of these issues, he expressed doubt about significant improvements in organizational handling of such vulnerabilities.
The Fragility of Modern Systems
Rogers highlighted the fragility of modern systems, built for benign environments rather than current threats. He cited examples like the Log 4J vulnerability, which exposed long-term, widespread weaknesses in simple software functions. The evolution of technology has led to complex systems with dependencies, yet risk assessment methodologies remain lacking.
Cryptographic Algorithms: Trust and Vulnerability
The discussion then turned to cryptographic algorithms, such as RSA and Diffie-Hellman, which are based on difficult-to-reverse mathematical problems. While these algorithms are perceived as secure, there is no proof that they are unbreakable. Rogers emphasized that cryptography often fails due to improper application rather than mathematical flaws. He advocated for a replacement program for cryptographic standards, rather than relying on the same encryption for extended periods.
The Growing Threat of Information Warfare
Information warfare has grown significantly in the last two decades, with attacks on critical infrastructure like power plants and water supplies becoming more prevalent. The SolarWinds supply chain attack, while devastating, did not disrupt basic services, but it highlighted the potential for significant damage due to trust in technological systems. Rogers discussed the complexity of attributing cyber attacks to nation-states and the geopolitical implications of such attributions.
A Risk-Based Approach to Cybersecurity
Rogers emphasized the importance of understanding systems, structure, connectivity, software, and hardware for effective cybersecurity management. Many network owners lack a true understanding of their systems, leading to vulnerabilities. He advocated for a risk-based approach to cybersecurity, prioritizing resources and seeking help from partners, other companies, government, and law enforcement. Learning from similar-sized companies or sectors can also provide valuable insights.
The conversation with Admiral Mike Rogers provided a comprehensive overview of the current state of cybersecurity, highlighting the persistent challenges and the need for a proactive, risk-based approach. As technology continues to evolve, organizations must remain vigilant, continuously evaluating and updating their cybersecurity strategies to protect against emerging threats including harvest now, decrypt later and quantum attack.
The full episode can be found here.
