The federal government, including the Defense Department, needs a clearer plan about how to respond to attacks on civilian systems, members of the Senate Armed Services Committee argued Tuesday.
Sen. John McCain, R.-Ariz., suggested drafting a policy about "what the United States' actions would be in the case of a threat, in the case of an actual attack," he said during a hearing on encryption and cybersecurity.
“If you don’t act, I guarantee you Congress will act," he said, addressing witnesses Adm. Mike Rogers, director of the National Security Agency, and Marcell Lettre, undersecretary of defense for intelligence.
The hearing illustrated disagreements between members of Congress, senior cyber officials and private technology companies about the best way to cooperate on preventing not only future cyberattacks, but physical attacks planned using encrypted communication such as WhatsApp.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
In response to McCain's suggestion, Lettre argued during the hearing that "new legal and regulatory approaches are not as potentially productive as robust" conversations between the public and private sectors.
Lettre said the public and private sectors are often able to cooperate "if on the government side, we're able to communicate the problems we're trying to solve, and ask for industry's best expertise and wisdom about solutions."
Sen. Jeanne Shaheen, D-N.H., noted that so far there have been "limits" to that strategy, as Twitter has still been reluctant to share access to its so called firehose of data.
"Right now, we've had mixed reviews of the opportunity to work collaboratively with the private sector," she said.
Senators seemed stumped by Twitter's refusal to share access to its analytics service Dataminr with intelligence agencies.
"Shame on them," McCain said, asking witnesses what could be done other than "exposing [Twitter] for what they are."
The United States "must balance our national security needs and the rights of our citizens," McCain said, though he added the U.S. must recognize that authoritarian governments may search for keys to suppressing dissents and monitor their own citizens.
“Yet, ignoring the issue, as the White House has done, is not an option," he said.
Asked what new technology could change domestic cyber response, Rogers explained his team is especially interested in artificial intelligence and machine learning.
"How do we do cyber at scale, at speed," he said, noting that focusing purely on hiring more cyber talent instead of investing in more advanced technology "will be both incredibly resource intensive and it will be very slow."
Rogers said he was especially worried hackers might become less interested in extracting U.S. data for their own purposes, and more on manipulating information so it can't be trusted. For instance, if military commanders can't trust the tactical maps they have, they can't effectively make decisions, he explained.
"What happens when nonstate actors decide that the internet is not just a forum to coordinate ... but instead offers the opportunity to act as a weapons system?" he asked.