NSA Chief Warns Congress About Cybersecurity Threats

     WASHINGTON (CN) – Ending bulk-data collection will significantly hurt the National Security Agency’s operational capabilities, NSA Director Admiral Michael Rogers told Congress on Thursday, pointing to the rise of cybersecurity threats.
     In a rare public session, hours after Pope Francis addressed Congress , Rogers appeared before the Senate Intelligence Committee to discuss some of the challenges the agency faces as it transitions to a new data-collection system.
     The NSA’s move comes in connection to the Nov. 29 deadline of the USA Freedom Act , which revoked the authority the agency had to gather the phone records of millions of Americans under the Patriot Act.
     Sen. Richard Burr, a North Carolina Republican who chairs the committee, invited Rogers to use the public hearing “to separate the myth of the NSA from the reality of the NSA,” in the wake of the fallout from the Edward Snowden leaks.
     Rogers assured the Senate: “We do not indiscriminately collect.”
     “Everything we do is driven by the law and a set of priorities as to exactly what we do and what we focus on,” Rogers added, saying NSA efforts are designed to defend the nation, not invade people’s privacy.
     The mostly sympathetic committee members heaped praise on the agency for its intelligence gathering, and its use of bulk phone data to thwart terror attacks on U.S. soil, claims that have been widely disputed by organizations like the Electronic Frontier Foundation.
     Rogers meanwhile insisted that bulk data collection has intelligence value, citing a report that the National Academy of Sciences released in January, which concluded that no technological replacement for bulk-data collection exists.
     Hinting that this will hamper counter-terrorism efforts, Rogers said terror groups, including the Islamic State in Iraq and the Levant and al-Qaida, have adopted more behavioral changes in the past two years than he has seen from any other target.
     “They actively reference some of the compromises and media leaks of the last couple of years,” Rogers said. “And we know they have achieved a level of insight as to what we do, how we do it and the capabilities we have, that quite frankly they didn’t have” before.
     Compounding the harms from restricting bulk data collection, Rogers said technological advances – including the proliferation of encrypted communication – make it more difficult to figure out what these groups are doing.
     Sen. Ron Wyden, D-Ore., reminded Rogers that President Barack Obama’s advisory committee disagreed with Rogers on the effectiveness and value of bulk data gathering, citing page 104 of the committee’s 2013 report.
     “The information contributed to terrorist investigations by the use of section 215 telephony meta-data was not essential to preventing attacks and could readily have been obtained in a timely manner using conventional section 215 orders,” the report said .
     Under the USA Freedom Act, the NSA will no longer collect phone metadata directly from phone companies and conduct its own data queries. Instead, the agency will have to get a court order to ask the phone companies to query their own data.
     Patriot Act parameters meanwhile had given Rogers emergency capabilities – powers he claims to have used only a handful of times, when he believed there wasn’t sufficient time to get a court order under the Foreign Intelligence Surveillance Act.
     In these cases, Rogers said bulk data analysis could be done in less than 24 hours. Under the USA Freedom Act, that authority will rest with the attorney general.
     Because the agency is still transitioning, Rogers said he does not yet know how long data analysis will take under the new system.
     “It’s probably going to be longer,” Rogers said. “I suspect we’re going to find out.”
     In addition to expressing doubt about the agency’s ability to effectively respond to imminent threats under the new system, Rogers spoke about growing cybersecurity threats. He said the nation’s preparedness to protect against cyberattacks on critical infrastructure is “probably at a five or a six,” on a one to 10 scale.
     “That’s not where we need to be,” Rogers added.
     Sen. Dianne Feinstein, a California Democrat who serves as vice chairman of the committee, quoted the Department of Homeland Security as having identified 60 government agencies that are vulnerable to cyberattacks.
     Cybersecurity represents a major deficiency at some of these agencies, however, leading Rogers to underscore the need for greater latitude for the NSA to step in.
     The new law means that the NSA can respond only to requests by Homeland Security for assistance on a case-by-case basis.
     “We’ve got to move beyond the ‘Clean up on aisle 9’ scenario,” Roger said.
     So as to avert another fiasco on the scale of the Office of Personnel Management breach, Rogers said the government must figure out how to proactively get ahead of the cyberthreat problem and better protect personal information.
     Homeland Security requested the NSA’s help after the OPM breach, but Rogers said there aren’t enough resources for the NSA to address all of the cybersecurity needs of the dot-gov regime. The agency would have to prioritize needs if given the authority to treat them, he said.
     Recruitment and retaining employees have been difficult for the NSA as well, Rogers said. He noted that another government shutdown would exacerbate stresses on the workforce, and could compromise national security by driving NSA employees into the private sector.
     What the workforce is reading in the media now about a possible shutdown is not helpful, he added.
     Rogers said the Snowden leaks prompted the agency to put behavior-monitoring mechanisms in place, but this is creating a backlash from the workforce.
     “Because of the actions of one individual, you are now monitoring me, now watching my behavior in a way that you didn’t necessarily do before,” Rogers said.
     He said some employees are now asking themselves, “Hey, do I want to work in a place like that?”
     Though Rogers shot down the idea of a cyber-arms-control agreement to deal with cybersecurity threats, he said the country needs some kind of understanding between nation states that currently pose a greater national-security threat than nonstate actors.
     Most cybersecurity attacks until now have been theft, Rogers said, but it is possible that attackers will begin to manipulate data, or launch direct attacks against critical infrastructure.
     Another major concern for Rogers pertains to how nonstate actors will direct cyberattacks in the future. “What happens when a nonstate actor decides that the web now is a weapon system, not just something to recruit people?” he asked.
     At the end of the hearing, Rogers faced an attempt by Sen. Tom Cotton, R-Ark., to discuss the Hillary Clinton email scandal.
     “You really want to drag me into this mess?” Rogers said, when asked for his professional opinion about the use of private email servers to conduct official business.
     “From a foreign-intelligence perspective, that represents opportunity,” he said, noting that communications of the president’s advisers are a top priority for foreign-spy agencies.
     Rogers told the committee he will provide it feedback on the transition to the USA Freedom Act parameters in October.

%d bloggers like this: