Former NSA chief: Expect the unexpected when it comes to cyberattacks — 'don't just fixate on one or two things'

  • Adm. Michael Rogers, head of the National Security Agency and U.S. Cyber Command from 2014 through 2018, says there's "no limit" to the worst-case cyber scenarios facing the country's critical infrastructure sectors.
  • Rogers is joining Israeli cybersecurity think tank Team8 to work alongside other major corporations to fund new cybersecurity companies.

There are few limits to the destruction that could be caused by a devastating cyberattack, retired Adm. Michael Rogers told CNBC in one of his first interviews after departing the National Security Agency five months ago.

"There is no scenario that is beyond the pale of possibility in the world we are living in now," said Rogers, who oversaw the NSA for nearly four years. "The only limit, in many ways, is what is the objective of the attacker, and what's the vector that they try to use to achieve the objective. Don't just fixate on one or two things."

Rogers said that during his tenure, the agency focused its concerns on the financial sector.

"It's all about trust. It's about the ability to sustain these literally millions of global transactions simultaneously with the idea that at any one second I have perfect knowledge of money, who has it, how much, who has it, what are the flows," he said in the interview Monday.

Rogers cited the North Korean attack against Sony Pictures Entertainment in 2014 and the NotPetya global ransomware attack of 2017 as two that particularly concerned him.

The Sony attack had particularly strong implications because it was the first time a president talked about cybersecurity and called out a state actor.

"The president of the United States came out ... and said here's what happened, the North Koreans did it. That was different." This lead to policy changes, including sanctions against North Korean individuals and institutions.

Now in the private sector, Rogers will join Israeli cybersecurity think tank Team8, which is led by his former counterpart in the Israeli Defense Forces, Nadav Zafrir. Rogers and Zafrir joined representatives from several large corporations partnering with Team8 to invest in a fund that will help build new cybersecurity companies: Wal-Mart, SoftBank, Airbus, Barclays, Munich RE, Moody's and Nokia.

Zafrir agreed with Rogers on the significance of the Sony and NotPetya attacks. The incidents brought "the realization that we hit a new point in connectivity — we moved from connectivity to hyperconnectivity," he said. "It's now a business issue. It's something that can take your company to its knees."

A focus on resilience, a lack of history

The increase in attacks calls for a greater focus on recovering from cyberattacks, not stopping all of them, Zafrir said.

Security representatives from several of the companies joining the partnership agreed that resilience in the face of attacks is key.

"Susceptibility to attacks is much more volatile," said Derek Vadala, chief information security officer of Moody's. "But resilience is much more constant."

Bouncing back is also vital because today's cyberattacks are a lot less predictable than historical disasters, according to Torsten Jeworrek, a member of the board of management of Munich RE. While insurers can rely on 100 years or more of weather-related data to write corporate policies for hurricanes or floods, cyberattack data only go back around two decades.

"Even then, if you take 20 years of data — remember, 15 years ago, smartphones didn't exist, cloud services didn't exist," he said. To combat this problem, companies are increasingly relying on data gathered by cyberintelligence professionals to help fill in the risk gaps left by a lack of history.

The number of "smart" devices — everything from digital clothing to smart "skin" that helps inform doctors how it is healing — will grow exponentially in the coming years, said Marcus Weldon, Nokia Bell Labs chief technology officer and president. He said engineers at Nokia envision a world where each person has as many as 100 connected device, and his company envisions a world of a "trillion connected devices."