Amid growing fears of large-scale cyberattacks–ranging from attacks on infrastructure, to cyber espionage that threatens national security, to a “terabyte of death”–Congressional lawmakers are calling for a more clearly defined strategy for responding to such attacks.
The Senate’s version of the 2019 National Defense Authorization Act (NDAA) was approved with changes and sent back to the House on June 18 and heads to conference next week to reconcile differences between the two chambers. It calls on the executive branch to “plan, develop, and demonstrate” how the United States could respond to cyberattacks that threaten the political integrity, economic, or national security of the United States. The legislation notes that its provision refers to attacks originating from foreign powers, specifically mentioning Russia in one section.
The bill would up the pressure to establish a policy on what cyber activity constitutes an act of war–as opposed to the thousands of attacks the Department of Defense and other agencies see every day–and what are the options for response.
Pentagon leaders have for years struggled to define cyberwar in terms of what level of cyberattack would warrant a military response, and whether a response would be in cyberspace or include the use of kinetic weapons. The DoD Cyber Strategy of 2015 states that the “United States has been clear that it will respond to a cyberattack on U.S. interests through its defense capabilities,” but is not particularly clear about what would prompt retaliation or what shape retaliation would take. It says only that response would come “at a time, in a manner, and in a place of our choosing, using appropriate instruments of U.S. power and in accordance with applicable law.”
Among other factors, the difficulty in attributing the origin of a cyberattack has complicated the question of ordering a response.
As far as launching cyberattacks, U.S. Cyber Command has control of DoD’s offensive (as well as defensive) cyber operations, although Presidential Policy Directive 20 currently gives the President sole power to authorize cyberattacks that could damage another country’s assets.
While the NDAA would add requirements to that power, some lawmakers and others say that DoD should also have the ability to respond in-kind to cyberattacks, an idea with which others have agreed. Mike Mullen, former chairman of the Joint Chiefs, has argued that the Cyber Command, which in May was elevated to a unified combatant command, should be empowered to run offensive operations on its own.
Some members in Congress–particularly Sen. John McCain, R-Ariz.–have for years criticized the White House for its cybersecurity policy, calling for a more clearly defined strategy that outlines response and delineates who is responsible for making the decisions to retaliate. In March, lawmakers complained that the lack of a clear strategy has resulted in inaction in the wake of attacks from Russia and elsewhere, making the United States, as Sen. Dan Sullivan, R-Alaska, has put it, “the cyber punching bag of the world.”
The NDAA–a funding plan that maps out priorities–also calls for other cyber-related measures including greater coordination between DoD and the Department of Homeland Security on infrastructure protection, setting guidelines for research and development, and completing the transfer of a number of cyber responsibilities from the Defense Information Systems Agency to the Cyber Command. Research firm Skopos Labs gives the bill a 97 percent chance of passing.