What can we do about cybercrime? It cannot be left to either individual organisations or national governments, says Admiral Michael S. Rogers, former head of the US National Security Agency

Governments need to re-evaluate their responses to organisations who are hit by ransomware as current models are not working, according to the former head of the United States National Security Agency (NSA).

Admiral Michael S. Rogers, director of the US’s largest intelligence organisation and commander of US Cyber Command from 2014 to 2018, believes that there is an increasingly unsustainable tension between governments as a regulator and enforcer of data standards and a provider of security and law enforcement services to victims of cybercrime.

“Government can’t talk out of both sides of its mouth,” he explains. “It can’t impose penalties and restrictions on the one hand, and on the other say but we want you to be honest and open.” Rogers, who had a distinguished 37-career in the US Navy, rising to the rank of four-star admiral, adds: “I wish governments – and this is true of my own – spent more time asking themselves what can we do to help as they tend to spend on saying ‘let me tell you what you can’t do’, and if you do this here’s how we’re going to punish you. 

“I’m not arguing that standards and regulatory policies are bad. It’s just I wish the dynamic was a little more… how can we work together collaboratively, which just doesn’t seem to be as much as a focus to me.”

Rogers was speaking in the context of how victims of cybercrime, particularly with the now industrial nature of ransomware, face having to recover from the incident, which can be extremely costly, and then potentially left open to a punitive fines regime under – in the UK at least – the General Data Protection Regulation (GDPR). Even if an organisation is not sanctioned by the Information Commissioner, the regulator, they still face a six-year statute of limitations whereby anyone who loses their personal data in a breach can pursue the organisation, either individually or as part of a class action, for damages.

He describes the situation in the US as broadly similar. “Remember, part of the idea of the fine is that we’re trying to use this to apply pressure to change behaviour, and that’s not necessarily a terrible thing. But the flip side to me is that it’s one thing if this happens because it’s gross negligence on the part of the company, but it’s another if this happens despite a reasonable level of effort and a reasonable application of resources and a reasonable prioritisation, a hacker gets in. I’m not sure we’re incentivising or achieving the outcomes that we really want here.”

He adds: “So, if the price of being honest is that I get sued then I’m not so sure I’m inclined to be honest and open. We’ve got to change that dynamic and help businesses; we can’t just turn to them and say, ‘Well hey.. it’s your responsibility.’”

The overall effect, he says, is that the current policy and regulatory landscape is confused and ultimately confers an advantage on the cybercriminal gangs. He says: “We want to make this harder for them, not easier. And I think we want to remove the stigma from businesses coming forward and saying, “hey look, this happened to us’. My view is that we want that, so we learn from it. What did you do that worked well and what didn’t work well? And so we generate those insights and knowledge that we can share with a broader set of people, a broader set of potential targets.”

Rogers welcomes the fact that US President Joe Biden issued an executive order for cybersecurity in May last year, which sought to beef up the country’s response to cybercrime. And he said the fact a debate is now being had about whether to make paying ransomware gangs illegal may give organisations pause for thought before taking the perceived easier option of paying up and moving on. Typically, ransomware gangs are thought to make well-calibrated financial calculations of what they think organisations can afford to pay, which is why they have become so successful over the course of the last several years, and cost the world an estimated $20 billion in 2021, according to Cybersecurity Ventures.

Rogers says: “Aside from that we have no legal prohibition against paying, we have no legal requirement, for example, to reveal that you’ve been the victim of a ransom or attack. And there’s this dark world that people just aren’t smart about…because we’re not shining a light on it. In my opinion, we’re helping the criminals in many ways, and that’s not good, to me.”

For Rogers – who now works as a consultant in cybersecurity, geopolitics, quantum technology, robotics, space and advanced technologies – international cybercrime is “getting worse, not better” and there needs to a multi-dimensional approach to dealing with the problem. He insists no one nation can fix it alone and governments and the private sector must work together. He says the strategy has to ensure there is an ever more robust technical and defensive posture to protect networks from hackers, but there also needs to be efforts to cooperate geopolitically to ensure there are no safe places for cybercriminals and that law enforcement can do its job. Even at a time when tensions are running high with Russia – one of the principal loci of operations for cybercrime – these are issues that the West cannot avoid confronting head on.

Rogers says: “Why is it that these groups are able to act using the same locations for years at a time? We’ve got to put the pressure on them and take away their safe havens. It should be the focus of every nation in the world to attempt to try to address this issue and not let Eastern Europe and the Russians say we’re not really the targets, so it’s not our issue. Well, they’re operating in your territory.”

He adds: “We want to arrest, extradite, jail these people, because that’s part of deterrence. If people think they’ve got a high probability of going to jail, you see this in crime writ large. You generally help to stamp it down if the perception among criminals is ‘boy, I’ve got a high probability of going to jail’”.

On the Russian front, metaphorically speaking, there is no doubt in Admiral Rogers’s mind that the Putin regime pays scant attention to policing the activities of the many cybercrime gangs there. Whether they are tolerated or actively enabled by the state, though, is a grey area and one for which even intelligence agencies still doesn’t have all the answers.  

“That’s clearly the million-dollar question,” he says. “Let’s start with the facts: Eastern Europe and Russia represent the single greatest concentration of cybercriminal gangs in the world. They’re not the only place in the world where you have cybercriminal gangs, I’m not trying to imply that. 

“But they’re the greatest concentration; there’s probably a variety of reasons for that. They’ve got access to good talent in those areas, they’ve got access to reasonable infrastructure in those areas and they feel they can operate with a lower level of risk in those areas than, for example, if they tried to do it in the UK or the United States.”

He adds: “I’m not trying to argue that the UK or the United States don’t have cybercriminals, but you generally don’t find the same scale, the same numbers. So the million-dollar question was always why is it they seemingly feel more comfortable that they’ve opted to base themselves there? Is it because there’s some explicit agreement that the state will provide them some level of protection if they don’t attack or go after infrastructure associated with that particular nation or that nation’s interests? Is it because the security services or the government are part of the process? We’re always trying to see if we can get proof either way; to date, I would argue the sense is there is some level of knowledge among the host governments about what is going on. I said ‘some knowledge’ because I’m not going to say there’s a smoking gun but there’s some level of knowledge. And that there appear to be some level of relationships between the groups and state. Now for what purpose, at what level, again those are issues which I think aren’t fully identified yet.”

Miscalculation therefore becomes an important consideration. Last year’s executive order undeniably put more focus on ‘offensive cyber’ as a capability that can be deployed more readily by the US. Similarly in the UK, the government’s announcement of a National Cyber Force – a partnership between intelligence and the military – is a step change in countering the intertwined problems of – and increasingly blurred lines between – ransomware and nation state cybercrime. Recent warnings from the National Cyber Security Centre – that malicious hacking activity targeted against Ukraine could spill over into UK computer networks – only serves to illustrate the risks Admiral Rogers describes of mounting offensive cyber operations.

He says: “I think there has been a recognition that cyber presents some range of capabilities that are of value in trying to deal with this issue. But also they’re not the silver bullet in and of themselves. I think there’s also increasingly public acknowledgement that says we need to be very measured and very careful here; it’s just like the application of a weapons system in the physical world – you’re always worried about fratricide or collateral damage, and that’s true in cyber.” Add to that the fact cybercriminals tend to use the same network infrastructure as many legitimate businesses, and the ‘second or third order’ effects of such a strike come into play. No serious or credible attack option can be put on the table without making very careful decisions about their wider impacts, especially given how easy it is for cybercriminals to change their methods.

“My argument is always, look, if you think cyber is going to deliver some knockout punch against criminal groups or nation states you don’t understand the way this works,” says Rogers. “Can you use cyber as a tool to have impact? Yes. Can you use cyber as a tool to make the actor’s life more difficult? Yes. Again, we have to stop thinking that it’s just one thing that solves this: that if we just use cyber as an offensive tool to attack these criminals, we can make it go away. That’s not the case guys. It’s all about how you apply multiple leverage.”

What we now call the internet has evolved in a patchwork fashion since the technology was first conceived by the US defence research agency, DARPA, in the late 1960s. It was, according to Rogers, never designed as a secure network, but rather to share unclassified information over “widely dispersed points”. It should be no surprise, then, that something that has been added to and built upon by academics, researchers and business over the years is continually discovering new ‘vulnerabilities’. Many of these have existed for decades and when they are ‘discovered’ cause untold panic among security professionals. Log4j – the Java logging utility – is one such example: it was created over 20 years ago but its existence as a potential exploitation route for cyberattacks was only publicised in December last year. If those who designed the internet could have imagined how it would be used half a century later, there is little doubt it would have been an entirely different project.

Rogers says: “We didn’t think about security because we thought who the hell would want to go after unclassified information? We didn’t think about identity or privacy because these users were all known to each other. Then over the course of the next 20 years as we morph into what ultimately becomes the worldwide web by 1992, that basic structure has taken on a whole host of activities that we didn’t even consider when we first created it, activities in which privacy and security are very important: ‘Hey I’m going to use this structure to move money, I’m going to use this structure to share my medical records, I’m going to use this structure to share images…I’m going to use this to share a whole host of mediums, I’m going to use this to share information that were it to become public could be very damaging’.”

Looking forward, there are examples of new technologies that do offer a longer term prospect of offering something that is ‘secure by design’. But Rogers says we need to manage our expectations in that regard, too. Decentralised and peer-to-peer networks built on Web 3.0 blockchain technologies are an exciting next generation of the web but are not a panacea. 

“The challenge gets to be we’ve got so much money invested in basic infrastructure from a business standpoint it’s hard to just walk away from what exists,” says Rogers. “Everybody hopes that ultimately just one technology is going to fix it. So far that has not proven to be the case and I don’t think it’s likely to be the case in the next decade. Secondly, remember guys this isn’t just technical. This is also about culture – this is about human expectations and the way humans act in this environment that we call the worldwide web and the choices that humans make. So don’t forget there is not just a technical aspect to this but a cultural and user dimension that when we’re developing solutions we always have to account for.”

Admiral Michael S. Rogers spoke at Futurescot’s Cyber Security 2022 conference on Monday 28 February to launch Cyber Scotland Week #CSW22 #FSCyber