Senate Defense Armed Services Committee Chairman John McCain (R-Ariz.) is holding the flame to the Obama administration’s feet on a cyber policy.
In a Nov. 18 letter to Director of National Intelligence James Clapper, McCain said he is “seeking an explanation for the administration’s delay in developing a cyber deterrence policy and utilizing the many tools available to it to achieve substantive deterrence.”
The letter states that the defense authorization acts over the past three years have included provisions concerning cyber deterrence. The 2014 defense authorization act required the President to develop a cyber deterrence policy. McCain’s letter claims that policy is more than a year overdue.
McCain asked Clapper for an update on the policy in the letter and how the President will use his authority to authorize sanctions on individuals stealing intellectual property from U.S. companies.
McCain sent a second letter to Attorney General Loretta Lynch and Department of Homeland Security Secretary Jeh Johnson stating the administration’s lack of sanctions in the U.S.-China cyber agreement is a prime example of the President refusing to use the authority authorized to him.
“The failure to utilize these authorities is alarmingly consistent with this administration’s refusal to articulation a robust strategy to deter cyber attacks against the United States,” the second letter states.
McCain’s request is the culmination of a bloc of lawmakers calling on the administration to make its cyber intentions known.
Most recently Sens. Tim Kaine (D-Va.) and Mike Rounds (R-S.D.) have jumped on the cyber deterrence bandwagon.
The logic goes that a cyber deterrence policy will keep cyber attackers from infiltrating systems if they know what response the United States will have to the attack.
It works similarly to a nuclear deterrence strategy where redlines are drawn and the United States has a public policy to make adversaries aware of its response to crossing those redlines.
“Suppose there is an attack like the one on [the Office of Personnel Management]. … Do you respond by counterattacking? Do you respond by trying to enact other measures? What do we do in case of a cyber attack?” McCain said, during a September Armed Services Committee hearing.
The Defense Department says its cyber strategy, released in April, is considered a cyber policy. Deputy Defense Secretary Bob Work during the hearing that if the United States were attacked the Defense Department would have the ability to come up with an appropriate response.
However, lawmakers disagreed with the assertion that the strategy is considered a policy because no redlines are drawn.
“Dr. Strangelove taught us that if you have a doomsday machine and no one knows about it, it’s useless,” Sen. Angus King (I-Maine) said during a September Intelligence Committee hearing. “Having a secret plan as to how we will respond … the deal is they have to know how we will respond and therefore not attack in the first place.
DoD has the capability to respond to an attack in an offensive or defensive manner. The Defense Information Systems Agency stood up a joint headquarters in January to protect DoD networks. DISA Director Alan Lynn said the joint force has already been in seven named operations.
The DoD cyber strategy also creates a cyber mission force of 133 teams. Of those teams, 52 are set aside for combat missions and support to combatant commanders and contingency operations. The rest provide defense capabilities to the homeland and defense networks.
Lynn said this week that he believes the United States is in an “economic cyber Cold War.” Harkening back to the original Cold War, a war defined by deterrence.
Federal agencies reported almost 70,000 cyber intrusions in 2014, states the U.S. Computer Emergency Readiness Teams
In 2014, industry reported it detected 42.8 million cyber attacks a day, according to a survey by PricewaterhouseCoopers.
DoD’s cyber policy could encompass the theft of U.S. companies’ intellectual property as well.
“Imagine a country that is working a long war-fight … a 20-year plan to periodically do a cyber takedown of a Sony, a Home Depot, a Target, name your company. It takes pennies to conduct those attacks and millions to fix them,” Lynn said.
Lawmakers claim a deterrence strategy will protect the government, companies and citizens since consumers’ data is part of the booty for hackers when attacking companies.
“I think [deterrence] has got to be a high priority. Deterrence doesn’t work unless people know about it. … The cyber war has started,” King said. “We are in the cyber war with our hands tied behind our back. We would never build a destroyer without guns … you cannot defend, defend, defend, defend and never punch back.”