recommended reading

Shoddy U.S. Cyber Deterrence Policy Emboldens Adversaries, Lawmakers Say

Sen. John McCain, R-Ariz.

Sen. John McCain, R-Ariz. // J. Scott Applewhite//AP

The U.S. has powerful weapons with which to respond to enemy cyberattacks, but the effectiveness of those weapons is vastly diminished by a cyber deterrence policy disjointed at best and nonexistent at worst, senators and former defense officials said Thursday.

The nation's possible cyber responses range from retaliatory strikes with cyber or conventional weapons to economic sanctions and diplomatic protests. But the government hasn’t done enough to signal to adversaries that it will use those tools if pushed, the lawmakers and officials said during a hearing of the Senate Armed Services Committee.

The lack of a firm cyber deterrence policy has given adversary nations free rein to launch cyberattacks against the U.S. with relative impunity, Chairman John McCain, R-Ariz., said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

McCain has long pressed the Pentagon to produce a cyber deterrence strategy and inserted language in a 2016 defense policy bill withholding $10 million in funding until the policy was produced.

When the Pentagon did produce the policy in early 2016, McCain complained it was “thin on detail and wholly lacking any new information.”

Russian government-backed hacks aimed at undermining the 2016 election, for example, may be more damaging to the foundations of democracy than a destructive cyberattack aimed at a regional electrical grid—long the chosen bogeyman of cyber watchers, McCain said.

But the U.S. spent far less time game planning how to respond to such an attack prior to 2016 and its response thus far has been underwhelming for many lawmakers.

“Treating every attack on a case-by-case basis, as we have done over the last eight years has bred indecision and inaction,” McCain said, “and the appearance of weakness has emboldened our adversaries.”

The government’s ability to respond to cyberattacks is also hampered by fuzzy jurisdictional lines between the Defense, Homeland Security and Justice departments, McCain said, and possibly between those departments' oversight committees in Congress.

“I have yet to find any serious person who believes we have a strategic advantage over our adversaries in cyberspace,” McCain said.

The hearing was organized, in part, around a recent report by the Defense Science Board, which recommended developing targeted strategies to combat cyberattacks by specific adversary nations and prepping nation-specific cyber counterstrikes.

Those counterstrikes should target “what the leadership values,” said board member James Miller, a former undersecretary of defense for policy. They should also focus on a proportional response—both ensuring the response is painful enough to make a difference, but not so expansive it precludes possible future strikes, Miller said.

Miller and other witnesses did not endorse a wholesale reorganization of the government’s cyber structure, but did urge tweaks to centralize cyber authorities.

One possibility might be to enhance the power of the Cyber Threat Intelligence Integration Center, an office President Obama created inside the director of national intelligence’s office in 2015, Miller suggested.

The government should also rejigger its cyber response structure based on war games involving military and civilian officials and perhaps Congress, said former National Security Agency Director Gen. Keith Alexander.

Most importantly, the U.S. must respond forcefully to attacks, witnesses said, in order to convince adversaries to stop.

“You re-establish credibility not by making a declaration alone, but by acting,” Defense Science Board Chairman Craig Fields said. “We have so many cyber intrusions going every day that there’s plenty of opportunity to act.”

That includes further responses to Russia’s election hacks, Fields said

“The question I’m worried about is what do we want to do so it doesn’t happen in 2018 and doesn’t happen in 2020,” Fields said. “Taking no action guarantees escalation. Taking action has the possibility of escalation but also the possibility of deterrence.”

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.