Lawmakers are concerned about the lack of a definitive cyber policy in the Defense Department, which could jeopardize the United States’ ability to retaliate during a cyber attack.
Members of the Senate Armed Services Committee highlighted concerns during a Sept. 29 hearing, that DoD does not have an established policy on the rules of engagement or appropriate responses to a state-sponsored cyber attack against the United States.
“Suppose there is an attack like the one on [the Office of Personnel Management]. … Do you respond by counterattacking? Do you respond by trying to enact other measures? What do we do in case of a cyber attack?” said Chairman John McCain (R-Ariz.), during the hearing.
Deputy Defense Secretary Bob Work told the committee DoD does have a cyber strategy, but not a policy per se.
Insight by Carahsoft: This exclusive e-book demonstrates just how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers.
“That does not mean if we had an attack tonight that we do not have the structure in place right now with the national security team to get together to try and understand who caused the attack, to understand what the implications of the attack were and what response we should take,” Work said. “Those are in place right now.”
McCain said that by not having an official policy in place, DoD is in violation of the law. The fiscal 2014 National Defense Authorization Act requires the department to craft a cyber policy.
The strategy is “an exercise in options, and for you to sit there and tell me that you do a broad stroke strategy frankly is not in compliance with the law,” McCain said.
Sen. Angus King (I-Maine) pointed out that in order for cyber deterrence to work, an established policy needs to be in place. In order for a country or entity to be deterred from attacking the United States, it needs to be aware of the kind of response to expect from its attack, he added.
King said last week in a separate hearing that cyber deterrence includes showing the U.S. has offensive cyber weapons it is willing to use.
“I think [deterrence] has got to be a high priority. Deterrence doesn’t work unless people know about it. … The cyber war has started,” King said, during a Sept. 24 hearing. “We are in the cyber war with our hands tied behind our back. We would never build a destroyer without guns … you cannot defend, defend, defend, defend and never punch back.”
National Security Director and U.S. Cyber Command chief Adm. Michael Rogers, who also spoke at the Sept. 29 hearing, said the U.S. needs to think outside the cyber realm when it comes to retaliation. Rogers also said the U.S. needs to define what is acceptable and unacceptable when it comes to hacking and articulate that the U.S. is preparing a set of capabilities that it is prepared to use.
As congressional members worried about how the U.S. can respond to an attack, all three witnesses at the hearing said they were skeptical that China would hold up its side of the bargain on the cyber theft agreement President Barack Obama and Chinese President Xi Jinping agreed to on Sept. 25.
Work, Rogers and Director of National Intelligence James Clapper all said they were wary of China’s ability to stop stealing intellectual property during the Sept. 29 committee hearing.
“Hope springs eternal,” Clapper said. “We will have to watch what their behavior is.”
In response to McCain’s question as to whether or not he was optimistic about the Chinese sticking to the agreement, Clapper said no.
“The extent to which Chinese are purloining our data is pretty pervasive,” Clapper said.
Rogers said the United States is hit by cyber attacks from China more than any other country. A study by the Commission on the Theft of American Intellectual Property estimates that between 50 percent and 80 percent of cyber intellectual property thefts come from China. The data breach at OPM, which compromised the personal data of 22 million federal workers, is suspected to have been done by Chinese hackers.
Work stressed that the agreement is not a treaty, which has more legal weight. The agreement is meant to be a confidence building exercise to see if the Chinese are serious about what they said about controlling cyber attacks.
“They’ve got to prove it to us,” Work said. “We know that they have stolen information from our defense contractors and it has helped [China] develop systems.”
The agreement encompasses a number of understandings between the two countries, including neither will knowingly commit theft of intellectual property and they will both promote international norms on cyber. The two countries will meet at least twice a year to discuss the progress of the agreement and they will also exchange information on cybercrimes.
Clapper said there are no explicit punishments in the agreement for China if it continues to attack U.S. intellectual property; however, the agreement implies there may be economic sanctions. Both Work and Clapper said that cyber warfare was not an eye-for-an-eye scenario, but rather called for a proportional response.
Clapper reminded the committee that the United States also partakes in cyber espionage.
“We’re not bad at it. When we talk about what we are going to do to counter espionage or punish somebody, well, I think it’s a good idea to at least think about the old psalm about people who live in glass houses shouldn’t throw rocks,” Clapper said.