Former NSA chief calls for alternative approach to cyberdefense

MUNICH, GERMANY — The U.S. and its allies need to step back and reassess which strategies are working in cyber and what needs to be changed, according to Michael Rogers, former director of the U.S. National Security Agency.

Addressing the audience at the Munich Cyber Security Conference on Friday, Rogers said that with Western countries experiencing record levels of ransomware, penetrations, and successful data extortions last year, it is necessary to explore alternative approaches in cyber defense.

"Continuing with the same strategies and expecting different outcomes is a low-probability success strategy," he added.

Among the things which, in Rogers's opinion, need to change in how countries respond to cyber incidents or defend themselves from threat actors is to shift the focus from “effort” to “performance.”

"Don’t tell me how much money you spent or how many people are working on the problem — what I’m interested in are metrics that indicate those efforts are translating into successful outcomes," Rogers said. "By focusing on metrics, we're able to identify whether we are succeeding or not."

As a retired U.S. Navy Admiral and former U.S. Cyber Command commander, Rogers learned a lot about strategy from his military experience, including the need for “continuing assessment and focus on performance."

He said that countries tend to do “their best” to combat cyberthreats, while sometimes what they need is to ask themselves is what they can do differently.

This is what Ukraine did when Russia invaded it two years ago and launched both kinetic and digital strikes. Ukraine pivoted from a fundamentally different model in cyber, Rogers said. “And they did that because they faced such a magnitude of threat that they needed to do something fundamentally different."

Bold solutions that Ukraine can afford to make, given the risks it faces, would be hard to replicate in countries like the U.S., according to Emily Goldman, a strategist at U.S. Cyber Command.

“Ukraine is learning within the conflict environment, and the U.S. is still in the competition environment. These are distinct geopolitical conditions,” she said at the conference.

But there are some things that can be applied to the U.S. and its allies. For example, fighting as a coalition of countries, securing war-fighting networks, and being proactive and anticipatory, according to Goldman.

She said that countries have to set cyber conditions in their favor before the conflict erupts. For this, they should adopt a mindset that many hackers use in their operations — they do not focus on the effect of individual hacks but rather on the cumulative effect of strategic campaigns over time.

To better understand and combat common malicious actors, countries should work together. Current collaborative efforts are not as effective as they could be, however, according to Rogers.

“Collaboration for me is when I do my thing, you do your thing, and we each tell each other what we are doing. It doesn't give us speed, and it doesn't allow us to stay ahead of problems,” he said.

Rogers’ solution to this is “integration.”

“It is about working side by side 24/7,” he said. Such an approach gives countries speed, and in-depth knowledge, and allows them to stay ahead of problems.

Both Goldman and Rogers agreed that conventional and cyber warfare are very different and involve a different set of threats and approaches to respond to them.

For example, there is no shared understanding in cyber about what behavior is acceptable and what is not, as well as how to measure the country’s cyber success.

“When we say 'do we win' — what do you mean?” Goldman said. In her opinion, a victory is when a country can outcompete its enemy, reduce strategic loss in competition, and set conditions to prevail in a crisis or conflict.

READ MORE: Munich Cyber Security Conference 2024 Live Updates