The U.S. has powerful weapons with which to respond to enemy cyberattacks, but the effectiveness of those weapons is vastly diminished by a cyber deterrence policy disjointed at best and nonexistent at worst, senators and former defense officials said Thursday.
The nation's possible cyber responses range from retaliatory strikes with cyber or conventional weapons to economic sanctions and diplomatic protests. But the government hasn’t done enough to signal to adversaries that it will use those tools if pushed, the lawmakers and officials said during a hearing of the Senate Armed Services Committee.
The lack of a firm cyber deterrence policy has given adversary nations free rein to launch cyberattacks against the U.S. with relative impunity, Chairman John McCain, R-Ariz., said.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
McCain has long pressed the Pentagon to produce a cyber deterrence strategy and inserted language in a 2016 defense policy bill withholding $10 million in funding until the policy was produced.
When the Pentagon did produce the policy in early 2016, McCain complained it was “thin on detail and wholly lacking any new information.”
Russian government-backed hacks aimed at undermining the 2016 election, for example, may be more damaging to the foundations of democracy than a destructive cyberattack aimed at a regional electrical grid—long the chosen bogeyman of cyber watchers, McCain said.
But the U.S. spent far less time game planning how to respond to such an attack prior to 2016 and its response thus far has been underwhelming for many lawmakers.
“Treating every attack on a case-by-case basis, as we have done over the last eight years has bred indecision and inaction,” McCain said, “and the appearance of weakness has emboldened our adversaries.”
The government’s ability to respond to cyberattacks is also hampered by fuzzy jurisdictional lines between the Defense, Homeland Security and Justice departments, McCain said, and possibly between those departments' oversight committees in Congress.
“I have yet to find any serious person who believes we have a strategic advantage over our adversaries in cyberspace,” McCain said.
The hearing was organized, in part, around a recent report by the Defense Science Board, which recommended developing targeted strategies to combat cyberattacks by specific adversary nations and prepping nation-specific cyber counterstrikes.
Those counterstrikes should target “what the leadership values,” said board member James Miller, a former undersecretary of defense for policy. They should also focus on a proportional response—both ensuring the response is painful enough to make a difference, but not so expansive it precludes possible future strikes, Miller said.
Miller and other witnesses did not endorse a wholesale reorganization of the government’s cyber structure, but did urge tweaks to centralize cyber authorities.
One possibility might be to enhance the power of the Cyber Threat Intelligence Integration Center, an office President Obama created inside the director of national intelligence’s office in 2015, Miller suggested.
The government should also rejigger its cyber response structure based on war games involving military and civilian officials and perhaps Congress, said former National Security Agency Director Gen. Keith Alexander.
Most importantly, the U.S. must respond forcefully to attacks, witnesses said, in order to convince adversaries to stop.
“You re-establish credibility not by making a declaration alone, but by acting,” Defense Science Board Chairman Craig Fields said. “We have so many cyber intrusions going every day that there’s plenty of opportunity to act.”
That includes further responses to Russia’s election hacks, Fields said
“The question I’m worried about is what do we want to do so it doesn’t happen in 2018 and doesn’t happen in 2020,” Fields said. “Taking no action guarantees escalation. Taking action has the possibility of escalation but also the possibility of deterrence.”