President Donald Trump has not specifically directed Adm. Mike Rogers to “disrupt Russian cyberthreats where they originate,” the NSA director and head of U.S. Cyber Command said during a congressional hearing Tuesday.
“I need a policy decision that indicates there is specific direction to do that,” Rogers said before the Senate Armed Services Committee. “The president ultimately would make this decision in accordance with a recommendation from the Secretary of Defense.”
The comments come as multiple investigations looking into the Kremlin’s expansive meddling in the 2016 U.S. presidential election continue to unearth new information.
“I believe that [Russian] President [Vladimir] Putin has clearly come to the conclusion ‘There’s little price to pay here, and that therefore I can continue this activity,'” Rogers told lawmakers.
Speaking to the committee as leader of U.S. Cyber Command, Rogers noted that he is currently able to direct operators to take certain actions against Russia without approval from the White House. And he has done so in the past. But Rogers declined to explain further citing concerns around disclosing classified information.
“The president ultimately would make [a decision to strike] in accordance with a recommendation from the secretary of Defense,” added Rogers, who appeared to be talking specifically about Cyber Command’s role. “I haven’t been granted any additional authorities … I am not going to tell the president what he should or should not do.”
Multiple lawmakers blasted Rogers about what they described as a lack of both an offensive and defensive cybersecurity strategy from the Trump administration. Such a strategy, they posited, could help actively counter Russia’s continued aggression. Rogers, who dodged questions by claiming he is “not a policymaker,” explained that there are significant limitations and legal statutes which must be complied with to run offensive cyber operations. These laws, Rogers said, limit the freedom of Cyber Command to pursue some missions.
“The challenge for us is that we have this thing called the law, a legal framework, where it shapes right now what DoD can and can not do,” Rogers said in response to a question from Sen. Bill Nelson, D-Fla. “I am not trying to minimize that.”
Broadly speaking, the exchange underscores a broader question that focuses on which operational authorities are controlled by the “dual-hatted” leader of NSA, a Title 50 spy agency, and Cyber Command, a Title 10 warfare unit.
Under the current arrangement, deploying offensive cyber weapons is often a highly controlled action that’s managed through a process that includes input from the NSA and the White House, along with State Department, Justice Department and Department of Homeland Security. The process differs from covert intelligence operations carried out by the CIA or NSA, where a more streamlined process can be followed.
For the last several years, Cyber Command officials have been pushing for the authority to conduct a wide range of missions, saying the Title 10 law can be far too limiting for cyber operations, which often impact various devices that are sometimes not based in designated war zones. At the moment, the laws guiding both Cyber Command and the NSA’s legal authority is controlled by a mix of the Executive Branch and Congress.
The limitations that officials and lawmakers have complained about can be changed through legislation or executive order.
The hearing was Rogers’ last in his current capacity, as he is set to retire later this spring. A confirmation hearing for his successor, Army Cyber Command’s Gen. Paul Nakasone, has been scheduled for Thursday.