Lawmakers are concerned that a hole in the nation's cyber policy could leave the United States vulnerable to a cyber attack on home soil at a time when fears about Russian and Chinese activities are mounting.
Adm. Michael Rogers, head of U.S. Cyber Command, urged members of the Senate Armed Services Committee Tuesday to accelerate debate on how to balance security and privacy in the ever-changing digital realm.
“Worst-case scenario is we don’t have dialogue and then we have a major event,” Rogers testified. “We have got to figure out how we can do this.”
For instance, Rogers said, if an enemy could change and manipulate data — rather than enter a computer system and steal — that action would be a threat to national security.
Committee members expressed concern that the lack of a strong cyber attack deterrence policy could prompt an overreaction by the government in the event of an attack.
“We’ve been talking about this as long as I’ve been on the committee, and we aren’t there yet,” said Sen. Angus King, I-Maine. “Something terrible is going to happen, and a lot of people are going to say, 'Well, why didn’t we have a policy? Why don’t we have a deterrent policy?' ”
The United States has not unveiled publicly a comprehensive strategy, said Susan Hennessey, a Brookings Institute fellow in national security law.
“I think what we’re seeing on the public record is less evidence of any kind of comprehensive plan and more evidence of sort of a ‘try-as-we-go-see-what-happens’ plan…” said Hennessey, who worked for the National Security Agency until November. “I think we’re seeing a deterrence policy that’s much more based on trial and error and, frankly, novelty than any kind of really comprehensive scheme.”
Hennessey, interviewed by phone, said that a more inclusive and comprehensive conversation across different government agencies is needed.
Earlier this year, Defense Secretary Ash Carter announced the Pentagon’s intention to use CYBERCOM’s abilities to launch a cyber offensive against the self-proclaimed Islamic State. In remarks to CYBERCOM staff in 2015, Carter referred to the cyber team as a “new breed of warrior.”
Tuesday’s hearing followed a Government Accountability Office report, warning there is no clear chain of command in the Pentagon for a response to a cyber attack on U.S. targets.
This was highlighted by the committee as a concern, along with the lack of policy and the growing threat posed by state and non-state actors.
Rogers acknowledged the importance of CYBERCOM staff to protecting DoD networks as he spoke of the cyber threat posed by countries like Russia, China, Iran and North Korea.
“What happens if they decide they want to, for some period of time, disrupt the things we take for granted? The ability to always have power, pumps, power systems, to move money…” he said, “I’m not going to argue that someone is capable of making the United States totally go dark. But I would argue there is capability there to cause significant impacted damage.”
Tens of thousands of people in Ukraine experienced power outages in December last year, in what was widely seen as the first case of a computer-based attack knocking out power supplies.
The terrorist group ISIS has thus far appeared limited in its efforts in cyberspace, focusing mostly on propaganda and recruitment, Rogers said. However, he said carrying out a cyber attack is “not beyond their ability, if they made that decision”