Policy and Will, Not Cyber Weapons, Are Missing in Action Against Russian Information Attacks

Adm. Michael Rogers took charge of the NSA and U.S. Cyber Command in 2014, when the nation’s eavesdropping agency was accused of being too intrusive in the aftermath of the Snowden scandal. Now, as he prepares to step down, legislators are demanding to know why the NSA, and the broader intelligence community, didn’t do more to fend off Russian attacks on U.S. democracy.

“I don’t think we anticipated the level of aggressive behavior we would see over time” from Russian actors, Rogers told the Senate Armed Services Committee on Tuesday. Nor, he said, did the government appreciate how Russia would see information and influence warfare “as a strategic imperative over time.”

Asked by several senators why he had not done more to counter Russian hacking and leaking in the runup to, and after, the 2016 election, Rogers said he did what was possible within his authority. So Sen. Richard Blumenthal, D-Conn., asked why he had not requested more authority. Rogers responded that Cyber Command and the NSA could do a lot to harden networks from attack and to execute cyber operations against an adversary after the fact, but there was little that he could do to dissuade Vladimir Putin from running an intelligence-and-influence operation. Real deterrence, he said, would require a whole-of-government response.

“I’m not sure right now that the capabilities would be the optimal or only response to this,” he said. “Be mindful of falling in the trap [of thinking that] just because someone comes at us, that we have to come back and do the exact same thing.”  

The idea that Cyber Command has no clear authority or mandate to stop Russian propaganda efforts on social media sites like Facebook seemed to surprise Blumenthal and several other lawmakers. When the senator said that it was time for the head of Cyber Command to request more authorities, Rogers repeated a response that he’s used many times before. “I’m an operational commander,” he said. “I’m not going to tell the president what to do.”

Rogers, of course, is right. As the head of the NSA, he has authority to collect signals intelligence on foreign adversaries and their activities. That’s altogether different from attacking a hostile government. As the head of Cyber Command, a sub-unified command throughout Rogers’s tenure, he could execute offensive operations. But the commander in that job just can’t start a hacking-and-leaking war against the Kremlin without approval from above, and such operations would play a role in a broader military strategy surely requiring Presidential approval.

Last August, the Defense Department announced that it would elevate Cyber Command to a full combatant command, which would give Rogers’ successor, Army Gen. Paul Nakasone, more power in terms of budgeting, training, etc. But the law also requires that Cyber Command be split off from the NSA once the new head, and the Defense Secretary, deem the timing is right. If you’re confused now about what the head of Cyber Command and the NSA is supposed to do to stop Russian online disinformation efforts, the situation won’t get better when there are two people in the place of one.

The Obama administration took a step toward creating authorities for the military and intelligence community to respond to election hacks in January 2017, when it designated election systems, including voting machines, as critical infrastructure. That allows the Department of Homeland Security to step after major incidents and even call in cyber operators from the National Guard for backup. But election systems aren’t conventionally considered infrastructure, and a candidate’s email accounts (much less voters’ Facebook feeds) don’t qualify as infrastructure under any definition.

Rogers could not touch on that. But, he said, the nature of cyber attacks, and particularly the way in which the Kremlin uses them for political effect, “is going to force us to look outside of the traditional lines that we use in defining problems and aligning resources.”

Policymakers, and especially the President, still have a lot to do to clear up who should do what and when — and even to display the political will to address the problem.

“What do you do when we’re dealing with a challenge that crosses so many different lines?” Rogers asked. “In our structure, elections are a state process. Cyber capability? That’s DOD, DOJ, DHS. That’s the Executive Branch. That’s not state. That’s federal... and that’s an executive branch” decision.