For almost two years Senate Armed Services Chairman John McCain (R-Ariz.) has been asking the Defense Department for a cyber deterrence strategy and for two years McCain has not gotten what he wanted.
Now, after Congress formally required DoD to present them with a comprehensive cyber deterrence strategy, lawmakers are being asked to wait a little longer for the policy.
DoD is delaying the release of its cyber deterrence policy for the second time since the 2017 defense authorization act required the strategy.
“While I realize the importance of this issue to the committee’s members and recognize that further delay may impact the committee’s work, please know that DoD is committed to providing Congress as comprehensive and detailed a report as possible,” Assistant Defense Secretary for Homeland Defense and Global Security Kenneth Rapuano wrote to the Senate Armed Services Committee Aug. 30. “To that end, we have already undertaken much of the work necessary to achieve this goal and I do not foresee a delay in submitting this report beyond Sept. 30.”
DoD was originally supposed to deliver the report 180 days after the 2017 defense authorization bill became law on Dec. 23, 2016.
That order refocused federal cyber security efforts around three broad efforts: protecting federal networks, protecting critical infrastructure and securing the nation through deterrence, international cooperation and workforce.
The most recent delay for the cyber strategy is due to the State Department finishing its report to the Office of Management and Budget required by the executive order.
“The State Department is finalizing this report and the Department of Defense continues to work with the State Department to incorporate defense equities. Given these continued interagency deliberations, DoD will need to delay the submission of its report to Congress,” the Aug. 30 letter stated.
The 2017 defense authorization act requires DoD to deliver a report on the military and nonmilitary options available to the United States to deter Russia, China, Iran, North Korea and terrorist organizations in cyberspace.
It also asks for the chairman of the Joint Chiefs of Staff to provide a priorities list of cyber deterrence capabilities that identify high priority capability needs, risk areas and planning issues.
McCain and Congress as a whole have had a long history with the cyber deterrence policy. The 2014 defense authorization act required DoD to provide a cyber deterrence policy, which Congress claims it never got.
In a Nov. 18, 2015, letter to then-Director of National Intelligence James Clapper, McCain asked for “an explanation for the administration’s delay in developing a cyber deterrence policy and utilizing the many tools available to it to achieve substantive deterrence.”
The policy stated the United States is “pursuing deterrence through cost imposition measures … designed to both threaten and carry out actions to inflict penalties and costs against adversaries that choose to conduct cyber attacks or other malicious cyber activity against the United States.”
Those measures include pursuing law enforcement measures, sanctioning malicious cyber actors, conducting offensive and defensive cyber operations and using military force.
The policy is “wholly-lacking any new information about the administration’s plan to integrate ends, ways and means to meaningfully deter attacks in cyber space. It mostly reiterates steps taken and pronouncements made over the past few years, all of which we know have failed to deter our adversaries or decrease the vulnerability of our nation in cyber space,” McCain said in a January 2016 statement.
The logic of the cyber deterrence strategy is that the policy will keep cyber attackers from infiltrating systems if they know what response the United States will have to the attack.
It works similarly to a nuclear deterrence strategy where redlines are drawn and the United States has a public policy to make adversaries aware of its response to crossing those redlines.
“Suppose there is an attack like the one on [the Office of Personnel Management]. Do you respond by counterattacking? Do you respond by trying to enact other measures? What do we do in case of a cyber attack?” McCain said, during a September Armed Services Committee hearing.
Sens. Tim Kaine (D-Va.), Mike Rounds (R-S.D.) and Angus King (I-Maine) have all called for a strategy.
“Dr. Strangelove taught us that if you have a doomsday machine and no one knows about it, it’s useless,” King said during a September Intelligence Committee hearing. “Having a secret plan as to how we will respond … the deal is they have to know how we will respond and therefore not attack in the first place.”
DoD has the capability to respond to an attack in an offensive or defensive manner. The Defense Information Systems Agency stood up a joint headquarters in January 2016 to protect DoD networks.
The DoD cyber strategy also creates a cyber mission force of 133 teams. Of those teams, 52 are set aside for combat missions and support to combatant commanders and contingency operations. The rest provide defense capabilities to the homeland and defense networks.