There is only so much the military can do to protect the country in cyberspace, expert witnesses at a House hearing said, so Congress should invest more is supporting the private sector.
The private sector needs to be "supported by," not simply "supporting" the government in order to improve national cybersecurity, witnesses told members of Congress at a March 1 House Armed Services Committee hearing.
In a wide-ranging hearing on cyberthreats and challenges that often centered on the capabilities and authorities of the Department of Defense and the National Security Agency, panelists argued there is too much emphasis on the military and not enough on the private sector.
"Much of our challenge in cyber is understanding the problem," said witness Jay Healey, senior research scholar at Columbia's School of International and Public Affairs.
"America's cyber power is not at Ft. Meade," he said. "The best use of government resources is to reinforce those doing the best work already. Our critical infrastructure companies are on the front lines, and together with major vendors and cybersecurity companies have far more defensive capabilities than our military."
Healey told FCW after the hearing that the NSA and U.S. Cyber Command are simply not positioned, and realistically can't be, to prevent attacks on private sector entities.
"What buttons or levers do they have that's connected to the internet that can stop it?" he asked. "They could return fire and try and stop it. They could better defend the federal government against it, but that's about it. What is already happening is that these network service providers are already telling themselves about these dangerous attacks and are already doing things to stop it."
Healey said the government needs to recognize that the DOD doesn't play the lead role in responding to cyber incidents against private systems or entities in real time. He said both the previous National Cyber Incident Response Plan and the newly approved version have it backwards when it comes to incident response.
"Both of them say, 'well government is going to make the decision and tell the private sector what to do.' It doesn't work like that," he said.
"If you need to hit back, the DOD is who you call, that's obvious," witness Peter Singer, a senior fellow at the New America Foundation, told FCW.
"When you start talking about civilian networks in military parlance, the civilian networks are the supported command. They will pull resources and there will be times that's appropriate but... you don't want CyberCom trying to take over 'Wisconsin whatever' power grid."
Singer said the conversation needs to focus more on resilience -- which includes everything from hardening private networks to reducing supply chain and acquisition vulnerabilities in DOD systems – and that will lead to better deterrence and defense by denial.
"Our offensive cyber capability has never been in doubt and yet we still see attacks by a wide range of state actors, private actors you name it," he said.
He also argued that the U.S. must find more ways to leverage private sector capabilities. A number of committee members raised questions about the cyber workforce and the current and projected shortage of cyber personnel.
Singer said the U.S. should look at creative solutions like expanding the U.S. Digital Service or modeling Estonia's Cyber Defense League as ways to bring more private sector talent into the cyber arena. In addition, he argued that cyber positions in other federal agencies, not just the DOD, should be exempted from the federal hiring freeze.
"We now know the OPM breach, that had national security consequences, so are we creating a chill factor on hiring, filling these slots at other agencies?" asked Singer.
Speaking to reporters after the hearing, committee chairman Mac Thornberry (R-Texas) said there is no question that offensive cyber operations belong to the DOD, and that the Pentagon also has a role in defending government networks.
"The key question is what's the role of the military in defending private infrastructure?" he asked. He argued that if a nation state is attacking a civilian target, then maybe the DOD does need to step in, despite panelist arguments to the contrary.
Thornberry said the witnesses were right in terms of the need to build more resilience in the private sector and in critical infrastructure.
"The government has a supporting role to do with that," he said. "So that leads me to start thinking, OK, is it too hard to have this relationship with government and private industry towards this mutual goal of building up resilience?"
Thornberry said that cultural differences and some of the legacy of the Edward Snowden leaks have made it difficult for the government and private sector to work together. "How skeptical are technology companies in working with, sharing information with, receiving information from the government?" he asked.
"I don't think we got the answers to all those questions today," he said. "I don't have all the answers. I do think it's important to be asking the questions."