Foreign governments are building relationships with criminals and other hackers to hide their attempts to break into American computer systems, the head of U.S. Cyber Command told members of Congress on Wednesday.
"It potentially or theoretically makes it more difficult to go country X and say we see this activity going on, you are doing it, this is unacceptable to us," Adm. Michael S. Rogers said. "And their ability to say it's not us, it's criminal groups."
Rogers, who leads both Cyber Command and the National Security Agency at Fort Meade, said criminals remain the most numerous threat to American networks and people's data, but foreign governments have the patience, skills and resources to carry out the most sophisticated attacks.
In prepared remarks, he focused on how Russia's state-backed hacking efforts sometimes overlap with the work of criminals.
"Russia has very capable cyber operators who can and do work with speed, precision and stealth," he said. "Russia is also home to a substantial segment of the world's most sophisticated cybercriminals, who have found victims all over the world."
The admiral's comments lent weight to those of analysts and lawmakers who have argued that the Russian government relies on criminal groups to carry out hacking attacks.
The U.S. government has not named Russia as the suspect in any particular attack, but the country is believed to be responsible for the breach of the email system of the Joint Chiefs of Staff last year. Officials regularly cite China, Iran and North Korea as other top hacking threats.
Rogers testified before a panel of the House Armed Services Committee on the budget for Cyber Command. The organization recently announced a campaign against the self-declared Islamic State.
It was the first time the United States has acknowledged carrying out a cyber warfare campaign. The details remain mostly secret.
"USCYBERCOM is executing orders to make it more difficult for ISIL to plan or conduct attacks against the U.S. or our allies from their bases in Iraq and Syria to keep our service men and women safer," he said.
Rogers said the command is looking to take on a greater role before conflict breaks out, using cyber power to dissuade adversaries from starting a conflict.
"We at USCYBERCOM are thinking more strategically about shifting our response planning from fighting a war to also providing decision makers with options to deter and forestall a conflict before it begins," he said.
For 2016, the command has a budget of almost $500 million and a staff of some 1,400 troops, civilians and contractors working at Fort Meade. Rogers said he expects the organization to be fully operational by fall of 2018.