Senate Armed Services Chairman John McCain (R-Ariz.) is calling out the Obama administration’s previously long overdue cyber deterrence policy, calling the strategy “thin.”
The policy is “wholly-lacking any new information about the administration’s plan to integrate ends, ways, and means to meaningfully deter attacks in cyber space. It mostly reiterates steps taken and pronouncements made over the past few years, all of which we know have failed to deter our adversaries or decrease the vulnerability of our nation in cyber space,” McCain said in a statement.
The administration was supposed to give Congress a cyber deterrence policy 15 months ago as required by the 2014 defense authorization act.
The policy, which was released at the end of December, outlines how DoD will pursue law enforcement measures, sanction malicious cyber actors, conduct offensive and defensive cyber operations and use military force to respond to cyber attacks.
The policy goes further in saying it is in the United States’ interest to assist other countries in building the capacity to combat cybercrime.
McCain, however, was not impressed by the policy’s measures.
“The report also goes to great pains to minimize the role of offensive cyber capabilities and does little to clarify the policy ambiguities that undermine the credibility of deterrence,” McCain’s statement said.
McCain had been leading the push for the President to release a cyber deterrence policy.
In a Nov. 18 letter to Director of National Intelligence James Clapper, McCain said he is “seeking an explanation for the administration’s delay in developing a cyber deterrence policy and utilizing the many tools available to it to achieve substantive deterrence.”
McCain sent a second letter to Attorney General Loretta Lynch and Department of Homeland Security Secretary Jeh Johnson, stating the administration’s lack of sanctions in the U.S.-China cyber agreement is a prime example of the President refusing to use the authority given to him.
“The failure to utilize these authorities is alarmingly consistent with this administration’s refusal to articulate a robust strategy to deter cyber attacks against the United States,” the second letter said.
The logic of the cyber deterrence strategy is that the policy will keep cyber attackers from infiltrating systems if they know what response the United States will have to the attack.
It works similarly to a nuclear deterrence strategy where redlines are drawn and the United States has a public policy to make adversaries aware of its response to crossing those redlines.
“Suppose there is an attack like the one on [the Office of Personnel Management]. Do you respond by counterattacking? Do you respond by trying to enact other measures? What do we do in case of a cyber attack?” McCain said, during a September Armed Services Committee hearing.
Sens. Tim Kaine (D-Va.), Mike Rounds (R-S.D.) and Angus King (I-Maine) have all called for a strategy.
Until the release of the deterrence strategy the administration said Defense Department’s cyber strategy, released in April, was considered a cyber policy. Deputy Defense Secretary Bob Work during a congressional hearing said if the United States were attacked DoD would have the ability to come up with an appropriate response.
However, lawmakers disagreed with the assertion that the strategy is considered a policy because no redlines are drawn.
“Dr. Strangelove taught us that if you have a doomsday machine and no one knows about it, it’s useless,” King said during a September Intelligence Committee hearing. “Having a secret plan as to how we will respond … the deal is they have to know how we will respond and therefore not attack in the first place.”
DoD has the capability to respond to an attack in an offensive or defensive manner. The Defense Information Systems Agency stood up a joint headquarters in January to protect DoD networks. DISA Director Alan Lynn said the joint force has already been in seven named operations.
The DoD cyber strategy also creates a cyber mission force of 133 teams. Of those teams, 52 are set aside for combat missions and support to combatant commanders and contingency operations. The rest provide defense capabilities to the homeland and defense networks.