The Strategist Six: Mike Rogers

Welcome to ‘The Strategist Six’, a feature that provides a glimpse into the thinking of prominent academics, government officials, military officers, reporters and interesting individuals from around the world.

1. It appears that the United Kingdom has decided to allow the Chinese company Huawei to build part of its 5G network. Does that present a security problem for Britain? And how seriously is that decision likely to be viewed by the other members of the Five Eyes intelligence-sharing network?

The official British position is that this is still a matter under deliberation. I’ve always said it’s up to each nation to determine the right answer for itself. What’s right for one may not be for another.

This is an issue that almost every nation, particularly industrialised nations, is coming to grips with. Australia has concluded that there’s a level of risk it isn’t comfortable with and Huawei will not be part of its 5G infrastructure. In the United States, we’re still working our way through this.

As a director of the US National Security Agency and the commander of US Cyber Command, I said this boils down to the level of risk we were comfortable with and I’d make it less about a specific nation or company and much more about how a nation ensures its economic competitiveness in the digital age. It is certainly a security issue, but with 5G you need to look through the prism of not just traditional national security, but national security in a much broader sense.

As 5G is going to be such a fundamental aspect of a nation’s economic competitiveness, I’d be worried about something that could call that into question. There are some areas where I think you could take some level of risk, but there are others where I would say the risk is very high. And I’d be very concerned about any entity if you didn’t have complete confidence that you knew what it had provided and some measure of control or oversight over it. That becomes very complex with 5G because so much of the capability is not centralised but is spread out across the network. It becomes much more difficult to mitigate the risk.

2. Former Australian prime minister Malcolm Turnbull said recently that he’d raised with US President Donald Trump his concern that 5G technology was available from a limited number of providers, none of which were in the United States. Can the US catch up in that field and provide the sort of technology that countries like Australia need?

I think the challenge is to create an environment where there are commercial options that Australia, the US, the UK, Japan and others would feel comfortable with. Part of the economic challenge is that Huawei has positioned itself with a price that US firms and other nations can’t match. We need to ask ourselves how and why that happened and whether we’re comfortable with it.

I’d hope governments could come together to work out how to generate alternatives. It seems possible to have vendors that provide a good price without the high level of risk posed by vendors like Huawei and ZTE. Can you trust a particular vendor? What’s the relationship between that vendor, that company, and its nation-state? Is that company from an authoritarian state where the legal regime and nature of the state mean the government can access data purely upon request?

It’s not just the laws on China’s books, it’s the fact that the Chinese Communist Party decides what the law is as and when it likes. It doesn’t have to go through a court or any kind of independent verification or justification. It can just tell the company, ‘You’re a corporate entity from our nation. The law says I can have access to whatever data I want. This is what I want.’ We need to spend some time, the US, Australia and others, on what we need to do to develop a viable alternative, and how can we help industry. Alternative 5G technology providers like Nokia, Qualcomm and Ericsson exist, and telcos like Telstra here in Australia are bringing 5G solutions to market.

3. Turnbull also raised concerns that the threshold for response to cyberattacks on Western nations is very high. Before you left Cyber Command, you put in place a different approach to offensive cyber operations, including the concept of defending forward. How important is that, and how can it be done? And what impact can it have on criminals and other nations’ agencies?

One of the greatest challenges we face is to change the risk calculus of actors out there to get them thinking that perhaps stealing intellectual property on a massive scale, interfering with democratic elections, and penetrating infrastructure and other areas, such as power, water, petroleum and financial that are a huge concern to any nation, are not worth the risk.

How can we convince them to step back and think, ‘While I could do this, the risk is pretty high and maybe it’s not in my best interest to do so.’

If we continue to just respond passively, to wait for people to come after our networks and to steal our intellectual property, then we’re just responding, which is a reactive strategy, a losing strategy. My experience as a military leader taught me that you want to shape the behaviour of any potential adversary, to drive them to make choices that benefit you, not them.

We need to talk about cyber as one of a broad set of capabilities we have at our disposal. We’re prepared to use that range of capabilities in the right place and at the right time within an international legal framework, with a sense of proportionality—being very discrete and very specific. It was important that adversaries knew the US had cyber capabilities and that it was prepared to use them at the time and place of our choosing if they insisted on engaging in this risky behaviour.

I think you’ve seen a shift in the past 18 months to this idea that we just can’t sit outside the network waiting for somebody to penetrate before we respond.

4. How does an offensive cyber capability work in response to an attack, how important was the elevation of Cyber Command to a combat command, and what did that signify about the US defence establishment’s level of concern about cyber threats?

There’s a full range of possibilities. Just because someone comes at us in cyber, doesn’t mean we’re going to do always the same thing.

My argument was, let’s look at the full range of capabilities that we enjoy as a nation and which of the tools we have makes the most sense in this scenario, given the target they went after and the impact they had. It shouldn’t be one size fits all.

We need to fundamentally change the risk calculus of nation-state and criminal actors because this is costing the US, Australia and others billions of dollars in the theft of intellectual property. It’s potentially placing some of our critical infrastructure at risk as opponents penetrate that infrastructure, study it, and look at changing it, degrading it, denying it over time. It’s providing intelligence and insights that can be used to disrupt and undermine policy- and national decision-making over time, including through cyber intrusions into political parties’ information systems.

We don’t want that to happen. One of my biggest concerns was that this should be based on a structure and a system that everybody understands. In the US system, combatant commanders, as the senior operational commanders, are a key part of discussions about strategy, resources and prioritisation. That’s how important cyber is. Cyber Command needs to work at that level, needs to be part of those discussions. It’s also a real positive in terms of speed of decisions and reaction.

5. How serious will cyber threats become, and how will the world deal with them?

While states such as China, Russia, North Korea and Iran attract considerable attention, the greatest activity out there doesn’t involve nation-states—it’s criminal. Criminals use cyber as a vehicle to generate money and a tool to penetrate systems, steal credit card information and identities, and run scams.

For most citizens outside authoritarian states like China and Russia, the greatest impact cyber will have in their lives is if someone steals their identity or their credit card number. Will we see cyber criminals link with terrorist groups or forming partnerships, sharing people and tools, going after common sets of targets? Will we see nation-states turning to criminal actors as a way, for example, to hide attribution?

Do you see criminal actors telling a nation, ‘If you give me protection so I’m not thrown in jail, I’m not extradited, I’ll apply my criminal activities, capabilities and cyber skills to support you’? We need to pay attention to that.

6. When the internet was established, it was generally seen as a very positive institution and a way to spread knowledge. It’s certainly done that. But it’s also been a vehicle for hate speech and promotion of terrible brutality. Is the system beyond control, or can it still be a force for good?

The average person with internet access can gather more information than anyone in the past and that can be a force for good in terms of personal growth, economic growth, sharing of information and the ability of widely dispersed individuals to coalesce around issues of concern.

The positives far outweigh the negatives. But there are some negative aspects to this unfettered connectivity (the model in large parts of the world) and the ability to move information and to coordinate around the world.

It goes back to when the internet was started in the late 1960s by the US Department of Defense to move information within the department over great distances without being stuck with using faxes and mail. Nobody was going to steal unclassified stuff, and we knew who the users were, so security wasn’t a big deal. So, we’ve built this global engine but we really didn’t think about how to defend it, how to work out if someone was real or not.

One of the questions we’re dealing with now is how do we create something totally new and build in defensibility, reliability, redundancy, and a means to ensure identity? Do you rebuild it with something new or do you keep it where it is?

But the sunk capital costs in the structure are so high, I can’t see us totally replacing it anytime soon.

That’s only possible in authoritarian states—not in truly open, market-driven economies. Again the Chinese precedent seems to show that you can shift the structures to enable high levels of social control over your population—and this system of authoritarian control through internet technologies is what they’ve been keen to export, with some success.

So how can you attempt to address some of these issues using this existing framework and how do we change it over time? You’re seeing how we do domain control, naming infrastructure, all those things continue to evolve. So it’s manmade, it’s global, but it’s going to be a changing dynamic.