As the United States is sorting out Russian involvement in the 2016 election and possible future elections, lawmakers are once again questioning the United States’ cyber war policy.
Mostly they want to know exactly what the United States’ cyber war policy is. Since cyber became a major domain, what exactly constitutes an attack on the nation and its people remains debatable.
Rep. Dan Donovan (R-N.Y.) wants to change that. Last week he went before the House Armed Services Committee to request a provision be added to the 2019 defense authorization bill that provides a legal definition of cyber warfare.
“Cyber war does not fit within the traditional confines of how we conceive warfare. While we have a cyber command that is tasked with protecting U.S. cyberspace, we do not have a legal definition detailing under what circumstances a cyber attack is considered an act of war. That is why I am requesting an amendment that will require the Pentagon to form a working group to propose a legal definition, report back to Congress and make the findings known to the public,” Donovan said during the April 11 hearing.
Cyber hacking cost the United States $57 billion to $109 billion in 2016 alone, but it’s not just the monetary issue that is a potential danger for the United States.
Cyber attacks could reach critical infrastructure or even cause harm to people now that so many devices are connected to the internet. Donovan says that’s all the more reason to scale back the ambiguity of the cyber war definition.
“We currently do not know when a cyber attack is an act of war. If North Korea were to bomb a hospital, that would undoubtedly be considered an act of war under both U.S. and international legal standards, but if North Korea were to launch a cyber attack on a hospital and were able to shut down the hospital or alter patient records, there is nothing that defines this as an act of war,” Donovan said.
Donovan is picking up the mantle from Senate Armed Services Committee Chairman John McCain (R-Ariz.), who hounded the Obama administration for a cyber warfare policy.
The administration did release something at the end of December 2015. It outlined how DoD would pursue law enforcement measures, sanction malicious cyber actors, conduct offensive and defensive cyber operations and use military force to respond to cyber attacks.
The policy went further in saying it is in the United States’ interest to assist other countries in building the capacity to combat cyber crime.
McCain, however, was not impressed by the policy’s measures.
“The report also goes to great pains to minimize the role of offensive cyber capabilities and does little to clarify the policy ambiguities that undermine the credibility of deterrence,” McCain’s statement said.
Of course that policy was for the Obama administration and not the current administration. The Trump White House has yet to put out any definitive policy on what constitutes an act of war in the cyber realm.
However, many lawmakers think a policy is vitally important for deterrence reasons.
Sens. Tim Kaine (D-Va.), Mike Rounds (R-S.D.) and Angus King (I-Maine) have all called for a strategy.
“Dr. Strangelove taught us that if you have a doomsday machine and no one knows about it, it’s useless,” King. “Having a secret plan as to how we will respond … the deal is they have to know how we will respond and therefore not attack in the first place.”
DoD has the capability to respond to an attack in an offensive or defensive manner. The Defense Information Systems Agency stood up a joint headquarters in January 2016 to protect DoD networks.
The DoD cyber strategy also creates a cyber mission force of 133 teams. Of those teams, 52 are set aside for combat missions and support to combatant commanders and contingency operations. The rest provide defense capabilities to the homeland and defense networks.