The Obama administration is still struggling on how it would respond to a cyber attack on U.S. water systems, financial structure or electrical grid.
Defense Department Acting Assistant Secretary for Homeland Defense and Global Security Thomas Atkin was unable to provide specifics to the House Armed Services Committee this week on when exactly DoD would get involved if there was a cyber attack to critical U.S. infrastructure.
“When DOD gets involved is an attack of significant consequence, we have the responsibility to defend against an attack of significant consequence,” Atkin said during the June 22 hearing.
“How do you define significant consequence?” Rep. Tulsi Gabbard (D-Hawaii) asked Atkin.
Atkin responded loss of life, physical damage, economic impact or foreign policy are all factors.
But Gabbard pushed harder.
“As you define loss of life, if there was an attack on an electrical grid, caused a major power outage, hospitals no longer able to care for people and loss of life in that respect. Would that fall under that definition?” Gabbard said.
Atkin was unwilling to hypothesize on scenarios, but said different factors would have to be evaluated for an attack to be considered one of significant consequence. Atkin added DoD would assist the Department of Homeland Security, which has jurisdiction over attacks on the homeland, if asked.
The interaction comes as Congress is considering elevating U.S. Cyber Command to a full combatant command.
The exchange between Gabbard and Atkin highlights a larger debate that has been brewing between Congress and the White House.
Congress has repeatedly asked the administration for a cyber deterrence policy, which would outline how the United States would respond to a cyber attack.
Congress pushed the White House for a cyber deterrence strategy to warn enemies there are repercussions for cyber attacks on the United States.
“Suppose there is an attack like the one on [the Office of Personnel Management]. Do you respond by counterattacking? Do you respond by trying to enact other measures? What do we do in case of a cyber attack?” Senate Armed Services Committee Chairman John McCain (R-Arizona) said last September.
The White House issued a policy in December that outlined some areas where the United States might retaliate after a cyber attack.
But, after Wednesday’s hearing, it’s clear all of the kinks have not been worked out.
McCain called the December cyber strategy “thin” and “wholly-lacking any new information about the administration’s plan to integrate ends, ways, and means to meaningfully deter attacks in cyber space. It mostly reiterates steps taken and pronouncements made over the past few years, all of which we know have failed to deter our adversaries or decrease the vulnerability of our nation in cyber space.”
House Armed Services Chairman Mac Thornberry was concerned by Atkin’s testimony on Wednesday as well.
“My concern is we know where it’s coming from. Country XYZ that has tremendous cyber capability is preparing to do something and the question is whether we wait and let them do it or try to at least take defensive action to manage the consequence of it,” Thornberry said.
While officials and lawmakers are debating how to respond to a cyber attack, Congress is close to giving the military’s combined cyber force a higher spot in the pecking order.
The 2017 defense authorization bill elevates CYBERCOM to a full combatant command.
Atkin told the House Armed Services Committee the biggest challenge to elevating CYBERCOM would be the resources.
“Our biggest challenges are going to be resources, making sure that CYBERCOM has all the right resources as they build out the cyber mission force… it’s just a matter of making sure that we’re doing it in a sequenced way to make sure that we don’t hamper or hurt any operations that we have ongoing, and that we continue to gain advantages and do better when we’re conducting these operations,” Atkin said.
Atkin said the challenges can best be solved internally within the department.