Security Magazine

Debating the NSA, Espionage and Hackers with Congressman Mike Rogers

A Frank Look at the World Today with Congressman Mike Rogers

October 1, 2013
cover slide 1

U.S. Representative Mike Rogers (R-MI) is hard at work in Washington D.C., despite Congressional recess, when other lawmakers have returned to their respective districts and even the President and his family escape the heat to a vacation destination.

This is the Congressman who champions information-sharing between government and industry. This is the Chairman of the Permanent Select Committee on Intelligence for the U.S. House of Representatives, who was recently shortlisted for the position of new FBI director. He defends the truth behind the NSA data mining and boldly combats the international theft of intellectual property. He is not afraid to name names – calling out hackers and nation-states alike in their efforts to steal from American enterprises. He penned the Cyber Intelligence Sharing and Protection Act (CISPA) as an aid to the U.S. Government in investigating cyber threats and ensuring security of computer networks and systems.

But Rogers has much to do, and he has a lot of national security risks that are keeping him awake at night and that keep him in the Capitol even during the summer recess.

 

Finding His Compass

In his office, there are framed newspaper articles hanging on the wall lauding Rep. Rogers for his bi-partisanship  ... something that is becoming an extremely rare commodity on Capitol Hill.  There is also a shadowbox from a U.S. Army Unit thanking him for his time serving as an officer in the Army.

We discussed his formative years – the stories behind the newspaper clippings –  which he believed were the foundation of his values and helped to shape his career and passion for public service. After college, he served in the Army from 1985 to 1989 to fulfill his obligation from serving in the ROTC. In 1989, he joined the FBI as a Special Agent assigned to its Chicago Office, where he specialized in organized crime and corruption. Framed newspaper headlines of a major corruption arrest in Cicero, Ill. – one of his major FBI cases – were proudly displayed in his office.

When I asked him about why he left a great career path in the FBI for politics, Rogers said, “You get to a point in your [FBI] career where you have to decide if you are on the management track or the agent track. I got to this point where I thought I really tried the enforcement side and wouldn’t it be interesting to try the other side of the law – try to make the law. I had always grown up thinking that there is honor in public service and never looked at politics as a bad thing. In my house, my mom was very active in the local community. She ran for the County Commission, and I just thought it was an honorable and good thing that people did for their
community.”

 “I got this notion that I was going to try this thing and took a whirl at it,” he continued, “and I was fortunate enough to win.”

In Rogers’ first attempt at running for public office, he landed a seat in the Michigan State Senate. True to form, Rogers worked his way up the ladder becoming Majority Leader of the State Senate. In 2000, Rogers ran for Michigan’s 8th District seat in the U.S. House of Representatives and won by one of the closest margins in Congressional races across the nation.

 

Doing the People’s Work

Since assuming office in January 2001, Mike Rogers has taken on some of the most controversial issues before Congress. Bucking the norm, he has developed a strong track record for gaining bicameral and bipartisan support on issues he champions. He is a member of the Committee on Energy and Commerce and also serves on the Subcommittee on Communications and Technology, as well as the Subcommittee on Health. Rep. Rogers served as a member of the Permanent Select Committee on Intelligence prior to his appointment as Chairman of this powerful committee in 2011.

He has sponsored or co-sponsored a long list of legislation addressing a wide range of issues. These bills cover issues such as: freeing education savings from federal taxes; banning protests [on Federal Lands] from occurring near funerals of soldiers who were killed in action; and cyber intelligence sharing with the private sector.

 

NSA’s Data Collection Program...Front and Center

The press is filled with extensive coverage of what is frequently characterized as the National Security Agency’s massive data collection efforts. According to a July 2013 Pew Research Center poll conducted shortly after the Edward Snowden leak regarding the NSA program, the majority of Americans (by a 56- to 36-percent margin) were more worried about government surveillance efforts invading the privacy of Americans rather than the government not going far enough in monitoring potential terrorists. Similarly, a margin of 47- to 35-percent of Americans say their bigger concern about U.S. anti-terrorism policies is that the policies go too far in restricting civil liberties versus not going far enough to protect the country from attack. 

I asked Congressman Rogers, as Chair-
man of the U.S. House of Representatives Permanent Select Committee on Intelligence, what steps he thought the NSA could have done to avert this recent outrage over privacy protection while still maintaining an effective anti-terrorism campaign.

Rogers responded, “Well, candidly, I’m not sure that they [the NSA] did anything wrong in the development of the program. What happened was the disclosure of four pieces of a thousand-piece puzzle. I get people back home saying, ‘Well you’re listening to my phone calls.’ There has been a complete mischaracterization of what the program is. The fact that people call it a surveillance program, a monitoring program, illegal and unconstitutional, is horribly misleading and I think it is kind of a fear factor... which is why people are so upset about the whole issue.” 

“We looked at the program and looked at all the protections,” Rogers continued. “What’s important to note is the reason that the report exists is that we were conducting oversight and said we want to know everything taking place in this program.” 

He went on to explain, “A record went over the five-year mark and didn’t get destroyed right at five years. I would argue that is not a privacy issue; it’s a problem and we want it fixed, but it wasn’t a privacy violation. The fact that an overseas person, who was being looked at by our intelligence services, brought their phone into the United States... this is not a U.S. citizen. The vast majority of those (2,800 issues) came out of that pot. That’s hardly an argument for a privacy violation, so my frustration has been everybody comes to the wrong conclusion and candidly the reporting has been awful on this stuff.”

“I do think that it is fair to have a debate,” Chairman Rogers emphasized. “The way the debate has been characterized, I think, has been as an injustice to the men and women of the NSA who don’t want to violate the law – they really don’t.” 

There has been other fallout created from the broad coverage of the unauthorized disclosure of classified information on this NSA program, said Chairman Rogers. “There’s an al-Qaida affiliate that has already changed the way it communicates based on this disclosure, which means it is much more difficult for us to try to figure out what they are doing.  Unfortunately, the victims who are going to pay a consequence first are our soldiers in the field.” He further explained, “I was an FBI agent, and we knew that one clue rarely solved the crime. It is a pattern of clues that has been part of putting that mosaic together that allowed us to say that a terrorist overseas is getting ready to commit a bad act either over there or here.

“So, I get a little worried about the full scope of the disclosure. As we said, we will continue to get the dumb ones – it’s the smart ones I worry about.”

According to news reports, including one from the International Business Times, the Permanent Select Committee on Intelligence took the unusual step of bringing in every congressperson and providing them with a classified briefing on this NSA program based on a disclosed May 2012 white paper (a redacted version of which is now available to the public on the Office of the Director of National Intelligence’s website at www.dni.gov: “The Intelligence Community’s Collection Programs Under Title VII of the Foreign Intelligence Surveillance Act”).

Rogers relayed that, in his view, the original letter that came out about the disclosure was incomplete. He said that he felt they needed to have a more robust kind of conversation. So, he took the bold step of having all of the congressmen come down and explained the program to them to ensure that discussions about the program were based on fact and not fiction.

 

Nation-State Sponsored Theft of Intellectual Property

Earlier this year, Chairman Rogers came out and made a public pronouncement about the extensive efforts of the Chinese Government to steal U.S. technology.

During a dinner event held in conjunction with Hunstville, Alabama’s Space and Missile Defense Symposium in mid-August, Rogers said that “If you think about what China is doing in cyber espionage, it will curl everyone’s toes. ... It is the greatest national security threat we face that we are not prepared for,” The Birmingham News reported. Rogers was in part, the article says, referring to cyber breaches at Redstone Arsenal and more than two dozen U.S. weapons systems by Chinese hackers. A few weeks later, The Washington Postreported that more than 24 U.S. weapons systems with ties to Huntsville were impacted by a Chinese cyber attack, and as a result combat aircraft, ship and missile defense systems were compromised. 

I asked him to explain what prompted him to continue to publicly implicate the Chinese, which can be a sensitive topic, especially regarding business ties to the increasingly influential country.

Chairman Rogers responded, “We were the first government agency or government entity to officially name the Chinese in public, by the way. It was 2010, at a hearing, and I got to the point of frustration that we had these two forces in the government working against each other. The first said: ‘Whatever you do don’t tick off the Chinese. We have American companies that are trying to operate there; we have American companies doing X and doing Y.’ In the meantime, I get all of the information about the sheer level of theft by the Chinese Government, which was then handing [the U.S. intellectual property] to their business community to repurpose and compete against U.S. companies.” 

“It still happens to this day, and it is shocking, and it is dangerous to our future!,” he continued. “If we want to continue to say we are an innovative economy then we better protect the innovation of our economy... which is different than being a protectionist!”

Chairman Rogers further explained that the Chinese have very different laws on their books that require Chinese citizens, working for or doing business with an American company, to disclose all of what they are doing to the Chinese Government.

He is referencing Article 18 of the Chinese State Security Law, which states “When a State security organ investigates and finds out any circumstances endangering State security and gathers related evidence, citizens and organizations concerned shall faithfully furnish it with relevant information and may not refuse to do so” (translation provided through the International Committee of the Red Cross). In layman’s terms, this means that Chinese citizens and organizations must faithfully furnish any information requested by State Security, often regardless of an enterprise’s employment agreement, teaming agreement or vendor/supplier contracts, forming a legal loophole for intellectual property theft in China.

“It is shocking to me that we can’t get these lists [of what nation-state sponsored bad actors are doing] produced…and I’m not done with this fight yet!” Rogers stated.

We discussed Congressional testimony in 2009 by FBI Director Robert Mueller, who went on the record and reported that the FBI estimated that there are approximately 3,200 Chinese front companies operating in the United States, stealing technology and other secrets from the U.S. Government and American companies.

Rogers added that he believes a list of these front companies should be published, so other enterprises could decide if they want to take the risks involved with working with them.“I think it’s important that we continue to put pressure on the Chinese,” he said.

Nation-state sponsored efforts to steal technology to help their industries better compete is not unique to the Chinese. Major studies range in their estimates of China’s share of international IP theft – many are roughly 70 percent, but in specific industries, a broader range can be seen. Presentations by officials from the Office of the Director of National Intelligence and the Office of the National Counterintelligence Executive have publically stated that the Intelligence Community is aware of more than 140 countries, both friend and foe, that are actively and aggressively stealing U.S. technology.

According to The IP Commission, Russia, India and other countries constitute important actors in a worldwide challenge against IP theft. Many issues in these countries are the same as in China: poor legal environments for [enforcing] intellectual property rights, protectionist industrial policies and a sense that IP theft is justified by a playing field that benefits developed countries, The Report of the Commission on the Theft of American Intellectual Propertysays.

General Keith Alexander, the Commander of the U.S. Cyber Command and Director of the National Security Agency, has said that the ongoing theft of Intellectual Property is “the greatest transfer of wealth in history.”

Should Congress pass a law requiring the names of the countries involved, the technologies being targeted and the methodologies being utilized to steal these technologies to be published as soon as the Intelligence Community uncovers them?

“I’m not opposed to publishing the list and methodologies!,” said Rogers. “I’d have to think through it in the sense that I wouldn’t want to disclose something that is valuable to us for the purposes of obtaining intelligence. Obviously, I’m for disclosing their efforts to steal intellectual property.”

Information Sharing

In 1994, Michael Waguespack was appointed the first director of National Counterintelligence Center, which later became the Office of the National Counterintelligence Executive. He petitioned the National Intelligence Policy Board to include Industry as a legitimate consumer of intelligence. In 1995, the Board approved the request, and today Industry is actually listed in the National Intelligence Policy of the United States as an authorized consumer of intelligence. However, outside of companies in the Defense Industrial Base or key critical infrastructure companies, the Intelligence Community has provided very little intelligence to the private sector over this nearly 20-year period.

When asked if he thought the Intelligence Community should be required to declassify and more openly share information on methods being used against industry, Chairman Rogers quickly responded, “Absolutely. You know, it took a lot for us to encourage the agencies, when the Olympics were in China, to talk to American businesses and travelers about what the threat matrix was. I’m not talking about government people; I’m just talking about business folks and folks on their electronic devices. To me, it was just a little crazy that we weren’t going to share just how good the Chinese were about getting your personal information off of every device and then turning on that device, even after it got home.”

“I do think we have got to do a much better job of sharing,” he continued. “I’m trying to find the niche where I think we could make the most impact the quickest, and then we ought to push it out. ... If I were in the private sector, I would love to know if I’m doing contracting with someone who is PLA [People’s Liberation Army of the Chinese Communist Party]. I would love to know who has connections to Russian intelligence services here so I could say ‘Thanks, but no thanks!’”

Chairman Rogers has fought hard for government to improve information sharing with the private sector, particularly on cyber risks and threats. Rogers introduced the Cyber Intelligence Sharing and Protection Act (CISPA) H.R. 3523 in November 2011 as a proposed law in the United States, which would allow for the sharing of Internet traffic information between the U.S. Government and technology and manufacturing companies.

The stated aim of the Bill was to help the U.S. Government investigate cyber threats and ensure the security of networks against cyber attacks. The Bill had 111 co-sponsors and passed in the House, but failed in the Senate after a threat of a veto from the White House amid arguments that the Bill lacked confidentiality and civil liberties safeguards, according to a BBC report. CISPA was criticized by advocates of Internet privacy and civil liberties, including the Electronic Frontier Organization, the American Civil Liberties Union, Free Press and Fight for the Future, among others. However, it had garnered favor from enterprises such as Microsoft, Facebook, AT&T, IBM, Apple Inc. and the United States Chamber of Commerce, which regarded the proposed legislation as a simple, effective means of sharing important cyber threat information with the government, according to a May 2012 Washington Postarticle.

CISPA was reintroduced as H.R. 624 in February of 2013. It again passed in the House, but stalled in the Senate.

 

Cyber Hacking – A Clear and Present Danger

A broad range of studies from such highly respected research organizations as the Ponemon Institute have highlighted the extent, impact and the cost of not only the initial losses associated with cyber hacking and the introduction of malware into computer systems and networks, but the cost of response, investigation and mitigation efforts. These studies have pointed out that many cyber-based intrusions go undetected for well over a year or longer.

A recent study of data compiled by the Internet Crime Complaint Center (IC3), which is run for the FBI by the National White Collar Crime Center (NW3C), stated that in 65 percent of all cases of data breach, a third party notified the unsuspecting and unaware data owner of the breached computer system. The White House issued a report in February 2009 that Government experts conservatively estimated the loss to American business from the theft of intellectual property, as a result of cyber hacking, at in excess of $1 trillion in 2008 alone.

Activists, hacktivists, terrorists, organized crime, drug cartels, rogue individuals, unscrupulous companies and nation states participate in or sponsor hacking, the introduction of malware as well as denial of service attacks on computer systems and networks against U.S. companies and individual U.S. citizens.

Since the Computer Intelligence Sharing and Protection Act did not become law, it’s time to research alternatives that might work to stem the tide of hacking and its impact on enterprises’ security.

Chairman Rogers suggested that one way to attack this problem is to start impacting the finances of hackers the same way we do with terrorists, as well as naming them and restricting them as well as their families from obtaining visas.

“My argument here was so that we ought to start naming names,” Rogers said. “It’s not as broad as you’re talking about with the countries, but I’m saying let’s name them. [For example] Bob Johnson is a cyber hacker in the Eastern Bloc who is stealing your credit cards at a rapid pace and, guess what, we’re going to restrict his finance movement ... his visa movement through the United States and will name him by name. I do think that can be effective – Make the business of black hat hacking really miserable.”

 “Shame is a powerful foe!” he added.  

 

All photos provided by Congressman Mike Rogers and his staff.

 


NSA Director in the Spotlight

 

At this year’s Aspen Security Forum, General Keith Alexander, Director of the National Security Agency and U.S. Cyber Command, recently characterized the government’s meta data collection and warehousing program as vital to our ability to track potential terrorists’ cells and prevent, or disrupt their efforts. He stated that the telecommunications company’s routine was to purge their databases of meta data after a short period of time to defray the cost of maintaining large databases of information that was of little or no ongoing value to them.

Meta data is of great value to the Intelligence Community in uncovering links to potential terrorists. The problem is that when the government uncovers a potential terrorist, they need to track back patterns of communications. If past data has been deleted, it makes it virtually impossible to develop any patterns that would identify terrorist networks.  General Alexander explained that the NSA’s program of warehousing meta data would not have been necessary if the telecommunications companies and Internet providers would have been willing to store their meta data records for a sufficient period of time. He further explained that none of the data was accessed without obtaining legal authorizations to do so.  He cited more than 40 cases where terrorist’s plans were disrupted as a result of this program.

General Alexander went into great depths in explaining that meta data was like the wrapper on a piece of candy. Meta data is only the outer wrapper of the call, and it does not contain the names of individual parties to the communication or the content of the messages. He further explained that the only data collected contained simply the time, date, duration and telephone numbers of the parties involved. General Alexander stated that there had been many inaccuracies reported in the press and wanted to make sure that the public understood that this program did not involve the Intelligence Community listening into their calls or reading their e-mails.