At almost every Senate Armed Services hearing within the last few years remotely focused on cyber, Chairman John McCain, R-Ariz., has lamented the lack of a national policy and strategy on cyber from the Defense Department and the White House. As it turns out, resilience – one of the key issues every cybersecurity guru harps on – is at the heart of a lack of strategy.
"In response to your request for thoughts on policy, strategy and organization," James Clapper, who most recently served as Director of National Intelligence, told McCain at a hearing May 11, "I want to offer one overarching thought: To me, the first order of business is defense and resilience."
Resilience is often touted as a critical metric in the way of deterrence by denial – meaning networks will be so hardened that even attempting attacks will be futile. However, according to Clapper, the U.S.'s vulnerability has hindered its ability to project power in cyberspace.
"We've got to focus on this because without it, we'll never be in a position to launch a counter attack even if we can quickly and accurately attribute who attacked us … and we're always going to doubt our ability to withstand counter retaliation," he told the committee.
Providing a real example from a few years ago, he explained that when a massive Iranian denial of service attack hit the financial sector, "the initial interagency impulse was to counterattack, but in a measured, precise way. What restrained us was lack of confidence in our ability to absorb a counter retaliation."
Second, he hit on a familiar inhibitor – legalities. In providing another example, he said when trying to craft a response to the North Korean's cyberattack against Sony Pictures, if they wanted to respond in cyber and had to execute an attack through someone else's infrastructure in order to get at the intended target, is that an act of war against that intermediary or not?
"Lawyers have a field day with that kind of an issue," he said, adding that ultimately the U.S. didn't act in cyber but applied other tools – sanctions – which were ceremoniously satisfying but didn't have much impact.
Hopes with a new administration
McCain earlier this week expressed his frustration in front of the commander of Cyber Command, Adm. Michael Rogers, saying that while the committee was hopeful, "after years without any serious effort to develop a cyber deterrence policy and strategy from the last administration," which the new administration promised within 90 days of inauguration, "90 days have come and gone and no such policy or strategy have been provided."
During the same hearing Sen. Angus King, I-Maine, was sure to remind Rogers that the deadline for a report directed by last year’s National Defense Authorization Act directing the administration to outline military and non-military options available for deterring and responding to imminent threats is fast approaching.
The report, due 180 days after the law was signed, puts the deadline at mid-June. Rogers told King that the Office of the Secretary of Defense is working on this and Cyber Command has provided some insights.
Specifically, the law directs that the Secretary of Defense and chairman of the Joint Chiefs of Staff deliver a report on deterrence of adversaries in cyberspace. The law also calls for the president, after 180 days of the delivery of the aforementioned report, to submit a report outline actions in cyber against the U.S. that might warrant a military response.
Relatedly, after much anticipation, President Donald Trump signed a cyber executive order. The order, among an amalgam of other things, directs the Secretary of State, Treasury, Defense, Commerce, Homeland Security, the Attorney General and the United States Trade Representative, in coordination with the Director of National Intelligence, to submit a report to the president on the nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats within 90 days.
In a live chat on Fifth DomainMay 11, Paul Rosenzweig, Chertoff Group senior adviser and former DHS official, explained that while the order doesn’t provide a vision of how all the recommendations will be integrated, he is willing to give the administration an "incomplete" and hopes that will come in the next iteration.
"It’s a little sad to be looking for studies that are going to take another 120 days or in some instances 180 days and we’re already 112 days, 115 days in," he said. "This kind of reporting requirement EO would have been a lot better … if it had come out on day 30 instead of on day 120."
What's the road block?
When asked during the annual worldwide threats hearing this week in front of the Senate Intelligence Committee, Director of National Intelligence Dan Coats said that there is wide consensus that a cyber doctrine is needed, but didn’t offer much clarity. "I would agree with you, however, that this is a threat that our policymakers need to address," he said. "I'm hoping that when we are here next year, we will have a solid response to your question, but at this particular point in time, frankly given the proliferation of issues that we're trying to deal with, it's almost overwhelming."
McCain asked pointedly this week that, given every event is being handled on a case-by-case basis, is that appropriate or sustainable?
"It tends to be a case-by-case basis," Rogers told the Senate Intelligence Committee this week, adding, "I don't have any easy answer for you" regarding crafting a cyber doctrine.
Clapper, for his part, echoed Rogers, noting that every case is a little different. "It would be nice to have a broad policy though that you could start with, which we really don’t have," he said.
Former CIA and NSA Director Michael Hayden followed Clapper by telling McCain that "in the Bush administration, we couldn’t do a cyber thing without having a meeting in the situation room."
For Clapper, ultimately, the legal, international sovereignty issues combined with the lack of resiliency are what is inhibiting the U.S. in crafting such as strategy.
"That’s why, to me, if you want to have a serious conversation about deterrence, the fundamental underpinning of deterrence has got to be about defense and resilience,’ he said. "Unless we are confident that we can withstand a counter retaliatory action, which many not be as measured or precise as what we might employ, having a serious discussion and writing things down in the absence of that is pretty hard."
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.