The former chief of the National Security Agency (NSA) in the US has said that government must work more closely with the private sector to fend off cyberattacks.
Admiral Michael S. Rogers (Ret’d), the former NSA director and Commander of US Cyber Command, said it is not ‘optimal’ for specialist government agencies to have to rely on being told when a network intrusion occurs, especially when it comes to critical national infrastructure.
Admiral Rogers, who served in both posts from April 2014 to May 2018, during the presidencies of Barack Obama and Donald Trump, said: “I think we’ve got to fundamentally change the model between government and private sector. And I say this as an individual who’s been part of the US structure for 37 years, this idea that we keep talking about collaboration and information sharing is just not enough to me.”
Speaking at Futurescot’s Cyber Security 2025 conference in Glasgow on Tuesday, Admiral Rogers said that the model of sharing cyber threat intelligence from government agencies to the private sector, and counting on them to respond when something goes wrong is inherently flawed.
He said it means that agencies “are always responding…and are always reacting”, when they need to be anticipating and be out in front of the cyber adversaries.
“I think we need a much more integrated approach, particularly in critical infrastructure, when we’re actually working together side by side, 24/7, and we actually have situational awareness of not just threat actors, but network activity,” he said.
“As a military guy, I always wanted to drive the adversary. I wanted them to react to us. I didn’t want to react to them. I wanted to shape their behavior. I wanted to drive their behavior. I wanted to limit their options. I wanted to drive them to make choices that actually optimise the probability of the outcomes that I wanted, not the outcomes they wanted.”
Admiral Rogers said he had reflected on his time in post, and understood that it was impossible to do everything when it comes to protecting every cybersecurity vulnerability. However, he insisted that when it comes to critical networks – such as energy and finance – where there is such a high price to pay as a society if services are impacted, that it “justified” a different approach.
He praised Ukraine for altering its approach in this regard. Since the unprovoked 2022 invasion by Russian forces, the country has adapted the way it deals with cybersecurity. Firstly, he said the country now has the highest level of cyber resilience that he has seen anywhere in the world, and secondly they have changed the way government works with network owners.
Admiral Rogers’s third recommendation was that ‘doing cybersecurity on a schedule’ was ineffective.
“You want to keep the adversary on their toes. You want them unsure as to what your schedule is. You want them to be concerned about your unpredictability. You want them to look at you as a learning, adaptive target,” he said.
The idea that software patches can be done ‘on a Tuesday’ was not a sensible way to configure networks, when adversaries are looking to exploit any understanding they have of a network’s behaviour.
Admiral Rogers also told the conference at Strathclyde University’s Technology & Innovation Centre that 10 years ago, the thinking was that new technologies such as AI would “give us the edge” in cybersecurity, but that was no longer the case.
He said we have to be faster in adopting new technologies, using automation when it comes to simplistic tasks like pattern recognition, and finally that there has to be more willingness to take risk.
Going forward, as automation and AI are deployed more and more, good cybersecurity will also be enhanced by the way organisations use the knowledge, skills and experience of their people, adding: “While there is a strong technical dimension to our profession, it’s not the be all and end all. I believe that humans are the ultimate advantage.”
‘Five Eyes’ working against cybercriminals globally
For the first time, the conference heard from law enforcement members of the the Five Eyes Alliance (FVEY), an intelligence-sharing coalition comprising the United States, United Kingdom, Canada, Australia, and New Zealand. Originally established during World War II for signals intelligence cooperation, it has since evolved into a broad alliance covering cyber threats, counterterrorism, and other security concerns.
In the context of cybercrime, the Five Eyes alliance facilitates cross-border cooperation between law enforcement agencies, and its joint operations have included the likes of Operation Endgame in 2023, which led to the takedown of key ransomware infrastructure.
In the morning session, the panel discussion focused on the joint initiatives undertaken by the partners to thwart cybercriminals globally. DCI Andy MacLean, who oversees Police Scotland’s Cybercrime Investigation Team, said: “The network allows us to expedite communications, share information really quickly, if we’ve identified infrastructure in a different country, we can take action. The benefit of that is I don’t always need to apply for a warrant in the US, because the FBI will have much better resources there and a much better way of taking out that infrastructure. I’m talking here about the really high-threat ransomware attacks, and the groups that are behind them.”
Wanda Mizell, Intel Assistant Legal Attaché with the Federal Bureau of Investigation (FBI) in London, added: “In order for us to stop this threat, or at least to slow it down, and actually understand it and get a better idea of ecosystem, we have to work together. Almost every report that we do, will have a Five Eyes line, so that we’re sharing that intelligence with each individual country.”
Law enforcement is, however, finding it hard to keep up with evolving technologies. Colin Paul, cybercrime liaison officer for the Royal Canadian Mounted Police in London, said: “As technology moves forward, the criminals adapt really, really quickly to it. But our legislation, our governments as a whole, are kind of slow.”
He gave an example of cryptocurrency, which has been in existence for over a decade, but it’s only now that law enforcement are starting to find ways to target the cybercriminals preferred means of making money. The Five Eyes partnership helps by facilitating a joined-up approach to target those exchanges in different jurisdictions.
Paul said: “That’s where the Five Eyes really can help each other out, because we see these exchanges, we see these bulletproof hosting platforms out there, we come back, we share and then we can move forward collectively with that massive disruption, particularly when they’re sitting in foreign states where we don’t have reach.”
Another message the panel were keen to promote was speed of engagement. The quicker a victim is able to get law enforcement agencies involved with a cyber incident, the better the chance of collecting evidence against the perpetrator and going after their own networks. Paul added: “When we get engaged weeks later, after servers have been taken down, things have been wiped and things are being scaled back up, a lot of evidence has been lost, so don’t hesitate to pull that trigger early on to get us involved.”
And the Five Eyes partnership has yielded successes in Scotland. DCI MacLean gave an example of a young man who was arrested as a result of intelligence received from the FBI. He had been committing DDOS (distributed denial-of-service) attacks from his base in Scotland, but using a server hosted outside of the country. Police Scotland was nevertheless able to apprehend him, seize assets worth £40,000 and the perpetrator went on to receive a custodial sentence.
The reality, however, is that it remains difficult to achieve criminal justice outcomes in many cases, given the borderless nature of the crimes, with many cybercriminal entities outside of even Five Eyes’ jurisdictions. MacLean said: “Our real focus is on victim safety, preparing victims or supporting them through that, especially with ransomware because we know these are connected by state backed actors and countries.”
Scotland’s national capabilities
“Cyber exercising is probably the single easiest, cheapest, most effective thing you can do right now to dramatically improve your cyber resilience,” said Alan Gray, the head of national cyber security and resilience at the Scottish Government.
“We are currently sitting about 63% of public sector organisations who test their cyber response plan annually, assessing various scenarios. I want to get that 100% so we’ve got a way to go. But when we first started recording that stat is was around 22%, so we have come a long way,” said Gray.
There is now a growing cadre of cyber exercising facilitators across Scotland’s public sector, which is helping to bolster organisations’ resilience plans, as well as a growing public sector cyber resilience network which promotes programmes run by the UK’s National Cyber Resilience Centre. The conference heard earlier that one of the key NCSC initiatives – the Active Cyber Defence programme – has already helped reduce the UK’s global share of email phishing from 5.3% to 1.4%.
Innovation is also key and the Scottish Government’s CivTech challenge programme is working to support cybersecurity in the public sector. Supply chain assurance and ransomware have been two recent challenges focused on addressing critical gaps in national cyber defences, said Gray.
On the education front, there are now 34 schools in Scotland which have achieved ‘Cyber First’ status, the highest concentration anywhere in the UK, again in a programme supported by NCSC to raise awareness and skills in cybersecurity in classrooms.
And cyber skills in the public sector are being tackled: 290 course places have been funded in Scottish public bodies, including local councils and health boards, to improve cybersecurity skills within those organisations.
In the past year, the Scottish Cyber Coordination Centre (SC3) has continued to evolve, said Gray, which is a strategic resource and aims to become the focal point for Scotland’s cyber resilience, providing services to combat and respond to the accelerating cyber threat, promoting adherence to best practices and standards across critical functions.
Gray said: “SC3 will evolve over time, but it’s not going to be driven by what I want to see, and not by what the team want to do, but this is very much going to be driven by all of you and what the public sector needs, and the signals we get from the communities to what services and capabilities we should be building in order to meet these objectives.”
Going forward, there will be a need to constantly refresh Scotland’s national strategic framework for cybersecurity, said Gray, in light of increasing geopolitical instability, the rise in ransomware and other threat vectors including cyber proliferation and the rapid evolution of AI.
He said: “There is the UK cybersecurity and resilience bill, which will be coming in, and which will affect us, so we need to make sure that we’re incorporating that into the framework and telling public sector and everybody else in Scotland what that means for them.”
