Pentagon’s Lack of Cyber Policy Illegal, McCain Says

A week after Pres­id­ent Obama an­nounced an agree­ment with Chinese Pres­id­ent Xi Jin­ping to lim­it cor­por­ate es­pi­on­age—a tent­at­ive step to­ward set­ting up norms of state be­ha­vi­or on the In­ter­net—a pan­el of sen­at­ors urged cy­ber­se­cur­ity of­fi­cials in the De­fense De­part­ment to go fur­ther in es­tab­lish­ing clear rules of war for cy­ber­at­tacks.

As sen­at­ors on the com­mit­tee pushed Tues­day for a more clearly de­lin­eated cy­ber policy—and bet­ter fol­low-through to make U.S. in­ten­tions clear—the com­mit­tee’s chair­man, Sen. John Mc­Cain of Ari­zona, sug­ges­ted the lack of such a policy is il­leg­al.

In a heated ex­change, Mc­Cain pressed Deputy De­fense Sec­ret­ary Robert Work on his de­part­ment’s pro­gress in de­vel­op­ing an “in­teg­rated policy” for cy­ber­se­cur­ity, a task Con­gress as­signed the de­part­ment in the fisc­al year 2014 De­fense reau­thor­iz­a­tion bill.

“Sup­pose there’s an at­tack, a cy­ber­at­tack, like the one on OPM,” Mc­Cain said, re­fer­ring to a pair of data breaches at the Of­fice of Per­son­nel Man­age­ment that af­fected more than 22 mil­lion in­di­vidu­als. “Do we have a policy as to what we do?”

Work began re­spond­ing, halt­ingly, “The first is to try—first we deny and then we first find out, we do the forensics—”

Mc­Cain cut him off, and asked re­peatedly wheth­er it is Pentagon policy to coun­ter­at­tack after such a breach. Work said a coun­ter­at­tack is “one of the op­tions.”

“That’s not a policy, Sec­ret­ary Work,” Mc­Cain re­spon­ded. “That is an ex­er­cise in op­tions. We have not got a policy, and for you to sit there and tell me that you do—a ‘broad-strokes strategy,’ frankly is not in com­pli­ance with the law.”

Oth­er sen­at­ors on the com­mit­tee piled on, ask­ing Work and his fel­low wit­nesses from the In­tel­li­gence Com­munity how and when a clear policy of de­terrence and re­tali­ation would be set out.

“We are not where we need to be in our de­terrent pos­ture,” ad­mit­ted Work.

Dir­ect­or of Na­tion­al In­tel­li­gence James Clap­per told the com­mit­tee that he was not op­tim­ist­ic that China would cur­tail its cy­ber­at­tacks, even after the U.S.–China ac­cord an­nounced last week.

Throughout the hear­ing, sen­at­ors brought up the OPM data breaches, which are widely at­trib­uted to China. Clap­per has gone out of his way in re­cent weeks to draw a bright line between cor­por­ate es­pi­on­age—the tar­get of the U.S.–China ac­cord an­nounced Fri­day—and tra­di­tion­al in­tel­li­gence op­er­a­tions, which he says are com­mon­place and ex­pec­ted.

Clap­per has cat­egor­ized the data breaches at OPM as in­tel­li­gence-gath­er­ing, and cau­tioned last week against char­ac­ter­iz­ing the breaches as cy­ber­at­tacks.

“We, too, prac­tice cyberes­pi­on­age,” Clap­per said Tues­day. “We’re not bad at it.” When it comes to re­tali­at­ing in re­sponse to the OPM breach, Clap­per told sen­at­ors to “think about the old saw that people who live in glass houses shouldn’t throw rocks,” us­ing an ad­age he’s ap­plied to the situ­ation be­fore.

Clap­per’s dis­tinc­tion was still not enough for sen­at­ors who wanted a clear out­line of norms.

The gov­ern­ment’s cy­ber­se­cur­ity po­s­i­tion has been “a lot of talk, not a lot of ac­tion, un­for­tu­nately, and people take their cues from that,” Sen. Kelly Ayotte of New Hamp­shire said.

“We need to define what an act of war is in the cy­ber arena,” said Sen. An­gus King of Maine. “I don’t mean to im­ply, Sec­ret­ary Work, that this is easy. But it’s ur­gent.”