The first thing Senate Armed Services Committee Chairman John McCain (R-Ariz.) addressed at a nomination hearing for some key Defense personnel wasn’t Russia. It wasn’t North Korea. It wasn’t the South China Sea. It was cyber.
“What do you think should be the key elements of our national cyber policy?” he asked the nominees.
Sen. Angus King (I-Maine) echoed McCain’s concern, saying the most likely attack is a cyber attack.
“I felt a sense of irony because we probably spent more time on cyber policy and cyber issues in this committee than any other issue in the last year or so, but there is no cyber policy,” King said. “And I realize that you all are not at the level where you will be setting that policy, but I hope that you will be a continued irritant within the administration. … We’ve got to get to the point where we have a doctrine and a policy and a clear deterrent strategy.”
Kenneth Rapuano, nominee for Assistant Secretary of Defense for Homeland Defense and Global Security, answered the question by referring to a Defense Science Board study in March that found that U.S. critical infrastructure is extremely vulnerable.
To make matters worse, the report said the traditional weapons systems the military relies on to deter countries from actually launching those attacks are themselves vulnerable to cyber attack, undermining a deterrence policy one Defense official articulated six years ago: “If you shut down our power grid, maybe we’ll put a missile down one of your smokestacks.”
Rapuano echoed the report’s call for a more comprehensive, unified deterrence strategy, followed by ongoing, tailored campaigns to deal with the most potentially troublesome attackers, including not just China and Russia, but also countries with mid-level capabilities, like North Korea and Iran.
“We have got to have both what is perceived to be and what is actually effective cyber capabilities that will introduce such an element of doubt in the minds of our adversaries that the cyber attacks that they would be interested in taking to achieve some goal would be outweighed by the high likelihood of our response,” Rapuano said.
Rapuano also called for better integration both within the Defense Department and between the various other agencies with a stake, like the Homeland Security and Energy departments. The Treasury and Justice departments have also played key roles in prior responses to cyber attacks, including through crippling financial sanctions targeting key leaders of state-sponsored hacks and criminal prosecutions of those officials.
But identifying all the stakeholders is just the first step; Rapuano said the threats then need to be identified and prioritized. And then all of that needs to be woven together into coherent policy.
“I think ultimately the White House has a very important marshaling role in the National Security Council staff. I believe they should be setting those expectations,” he said.
The need for coordination of the cyber effort is an idea the Defense Science Board explored while working on its report.
“I don’t see duplication of effort, I see gaps in effort. We don’t have an orchestra conductor to ensure that we don’t have those gaps,” said Dr. Craig Fields, the chairman of the Defense Science Board. “On the board, we’ve talked about the National Security Council playing that role, but we’re not completely comfortable with that. It’s an unsolved problem, because we do need a campaign strategy to make this a continuous process, including exercises. … We have a long list of execution issues like whether we have the right number of offensive cyber folks or whether the intelligence community is collecting the right stuff at the right time, but unless we have policy and the orchestra conductor and the strategy, we’ll never go where we need to go.”
But Robert Karem, nominated to be Assistant Secretary of Defense for International Security Affairs, and Kari Bingen, nominee for Principal Deputy Under Secretary of Defense for Intelligence, both raised the idea that any cyber policy has to include external integration and cooperation with allies needs to be addressed as well.
“I believe it’s incredibly important — nearly every military operation we undertake today is done in a coalition,” Bingen said. “So it is incredibly important that we be able to provide our coalition partners intelligence information, but also they be able to provide us information as well, at the end of the day, for the same mission: to protect our collective national security.”