Adm. Michael S. Rogers, USN (Ret.) joins the Nexus podcast to discuss the Biden administration's National Cybersecurity Strategy, and its themes of cyber resilience and critical infrastructure protection.
Cyber Resilience
Healthcare
Industrial
Operational Resilience
Risk Management

Nexus Podcast: Adm. Michael Rogers on Deterrence in Cyberspace

Michael Mimoso
/
Oct 2, 2025

Subscribe and listen to the Nexus podcast on your favorite platform.

As adversaries continue to aggressively encroach on U.S. critical infrastructure, it’s becoming blatantly obvious to experts that deterrence in cyberspace on the part of the government or asset owners and operators isn’t working. 

China’s state-sponsored activity—the so-called Typhoons, Volt Typhoon and Salt Typhoon—have been alleged to have embedded malicious code in CI networks for the purposes of activating these offensive tools during a time of military conflict for example, not only causing destruction on electric or water systems for example, but also sowing chaos among society. 

This is a bold, strategic shift, and China is not alone. According to Adm. Michael Rogers (Ret. USN), U.S. defensive strategies have not been effective in warding off this threat. 

“Clearly we haven't achieved [deterrence in cyberspace],” Rogers said on the Nexus Podcast. “If you accept the premise that deterrence is the concept that you can change an adversary's behavior, you can change an adversary's mind about their willingness to do something, you can deter them from doing something. Therefore, if you can change an adversary or another actor's strategic calculation and deter them from engaging in activities that are of concern, for example, to the U.S., hey, that's a positive. That's been the goal.”

Intent or Will to Deter Adversaries is the Key

Rogers, former Director of the National Security Agency from 2014 to 2018, says that isn’t the current reality—and that it may be our own self-imposed rules of engagement that are posing challenges to our efforts to deter adversary activity. 

“I don't think any nation in the world has managed so far to … achieve cyber deterrence, if you will, I think in part because deterrence broadly is a combination of capability and intent or will,” Rogers said. “So the capability side is: how can you convince an adversary either that your cyber defenses, cybersecurity, cyber resilience is so high that they're probably not going to succeed? Or how do you convince them that your capabilities to respond to that kind of activity is such that you could make this very painful for them if they were to choose some things that you don't want?”

Rogers added that current approaches of hardening systems as a means of trying to convince adversaries it was too challenging to breach assets and networks isn’t a viable strategy. 

“I never thought that was the way we were going to deter them,” Rogers said. “I thought our best hope for deterrence was to highlight to other nations we have the capability to respond in a like manner or even potentially with greater capability, combined with, and I want you to understand we have the will to do so, that if you continue down this road, we not only have the capability to respond, but we are prepared to respond. I think it's the latter portion, this idea of will or intent. That's where we just haven't done enough.”

Reauthorization of CISA15

In this episode, Rogers also discusses the expiration of the Cybersecurity Information Sharing Act of 2015 (CISA 15) on Sept. 30. The legislation facilitated the bidirectional flow of information between the government and private sector on cybersecurity incidents. While Rogers said he believes the act will be reauthorized in time, there are experts believe that any prolonged period without it in place threatens national security, privacy, and innovation. 

“The challenge is, it's gotten caught in a broader political discussion about what’s CISA's role? What information should CISA be providing? What broader set of activities should CISA be engaged in? So it's taken on a bigger context than the specifics, if you will,” Rogers said. “It's not a silver bullet. I’m not going to say the sky is falling, this is the worst thing that could happen, but I will say, look, ‘This was a significant benefit both to the private sector, but also because I always liked the fact it facilitated a two way flow of information.’ 

“I wanted to learn as much as I could for the private sector. As much as I wanted to provide the private sector with insight, I also wanted to learn from them. So I liked the idea that we were moving information back and forth. I suspect the impact of this is decreased information flow, less threat warning information coming out of the government. I’m not going to say it all stops, but there'll be less of it.”

Cyber Resilience
Healthcare
Industrial
Operational Resilience
Risk Management
Michael Mimoso
Editorial Director

Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.

Stay in the know Get the Nexus Connect Newsletter
You might also like… Read more
Latest on Nexus Podcast