McCain Leaves a Rich Cyber Legacy

Shortly before Gen. Keith Alexander’s April 2010 hearing to be the first chief of U.S. Cyber Command, Sen. John McCain, R-Ariz., approached the general with a question.

During the 2008 presidential contest, when McCain was the Republican nominee, hackers rumored to be from China had breached his campaign’s computers. McCain wanted to know why.

Alexander responded that inside information about a presidential nominee’s private discussions would be highly valuable to U.S. adversaries and that a presidential campaign was an obvious hacking target.

“I think, for him, it raised the reality that cyber is more than just talk,” Alexander told Nextgov Monday. “He had been a victim and that helped him make the leap to what do we do about this as a nation.”

McCain, who died Saturday at 81, had advocated a stronger Defense Department focus on cybersecurity going back to the early 2000s, according to former Pentagon officials. With the creation of U.S. Cyber Command, however, he became one of the strongest advocates on Capitol Hill for raising the posture of military and civilian cyber defenders.

As chairman of the Senate Armed Services Committee since 2015, McCain used Congress’ annual defense policy bill, the National Defense Authorization Act, to provide billions in military cybersecurity funding.

He used the NDAA to push for the elevation of Cyber Command to a full combatant command—a Defense command with a continuing mission through peace or war. He also used it to stymie Obama administration efforts to split CYBERCOM from its “dual hat” relationship with the National Security Agency, in which the agencies share the same leader.

At the opening of this Congress, McCain created a new cybersecurity panel within the Armed Services Committee, which held one of the first open hearings on Russian cyber and disinformation operations to undermine the 2016 election.

Most importantly, McCain, who was a son and grandson of U.S. Navy admirals, relentlessly pushed executive branch officials from the Pentagon, White House and elsewhere to develop a governmentwide cyber policy that could effectively deter U.S. adversaries, such as Russia and China.

He was scathing when those policies fell short and when the U.S. appeared unable to project strength in cyberspace.

During a March 2017 hearing, McCain complained that the U.S. was still “treating every [cyber]attack on a case-by-case” and projecting weakness in cyberspace that “has emboldened our adversaries.”

In a speech at Arizona State University the following August, he warned that the government’s current cyber policy is “overgrown with bureaucracy and choked by duplication.”

McCain’s exasperation evidently carried over even into closed hearings. Nick Carr, a former technical analysis lead at the government’s cyber emergency response team, reminisced on Twitter, Sunday, about a closed door 2012 committee session during which McCain was “frustrated, yelling at my boss from DHS and all other agencies: ‘WHO IS IN CHARGE FOR CYBER??’”

Carr, who now works for the cybersecurity company FireEye, added: “What a badass. Also a pretty valid question.”

McCain often tried to force the executive branch to solidify its cyber policy through legislation.

In 2015, he added a provision to the NDAA withholding $10 million in Defense Department funds until the White House produced a long overdue report on cyber deterrence policy.

The 2018 NDAA, which is named for McCain, goes into extensive detail outlining the military’s offensive cyber responsibilities and capabilities and demanding numerous executive branch reports on how those authorities are being managed.

“Sen. McCain correctly held the executive branch’s feet to the fire on the need to more clearly articulate principles on which cyber deterrence would be based,” said Paul Stockton, an assistant secretary of defense during the Obama administration with broad cyber responsibilities.

Stockton also credited McCain with pushing the Pentagon to examine cyber vulnerabilities in military computer networks and in the critical infrastructure the military depends on, such as energy plants and transportation hubs.

McCain’s interest in cybersecurity extended beyond the military. He was a cosponsor on more than two dozen bills that addressed cybersecurity in some form or other, according to legislative records, including several bills aimed at countering Russian cyber meddling in the 2016 election.

Aaron Brantly, a cyber research fellow at West Point’s Army Cyber Institute, communicated with McCain’s staffers about cyber policy issues. Their questions often ranged far beyond military policy, he said, to focus on private sector cybersecurity incentives and related issues.

“He consistently demanded that we elevate and find solutions to really intractable problems,” said Brantly, who is also a professor in Virginia Tech’s political science department. “He was a giant in the national security field including cyber, and he was interested in broader approaches to national security that extended well beyond the military.”