Amid explosive headlines surrounding ex-FBI Director James Comey's Senate testimony this week, cybersecurity policy issues are lurking beneath the surface of the ongoing probe into Russian cyber-enabled operations aimed at the 2016 elections and beyond.
One immediate policy implication is that the Russia investigation -- like the controversy over fugitive ex-NSA contractor Edward Snowden's leaks in years past -- is sucking up all the oxygen around cybersecurity issues, and perhaps distorting policymakers' views of those issues.
“I think this is a terrible distraction,” said Melissa Hathaway, former cyber adviser to both Presidents Obama and George W. Bush, “and we are losing sight of terrorism and important foreign policy issues.”
About this feature:
'The Editor Reports' is a new feature from Inside Cybersecurity intended to identify themes emerging from our news coverage and pose questions about the direction of evolving cybersecurity policies. Email comments to cmitchell@iwpnews.com.
These may include articulating a U.S. cyber strategy, spelling out the nation's policy on deterrence, invigorating the government-private sector cyber threat-information sharing process, adding a true analytical component to that process, better coordination in the face of cyber attacks, and more.
It's a long, disturbing list of cyber policy needs that goes well beyond what President Trump meant when he said he “hoped” Comey would put an end to the investigation of fired National Security Adviser Mike Flynn.
Some of these issues were touched upon at the Thursday Senate Intelligence Committee hearing with Comey, but only briefly.
And they are going to be hard to address in the policy realm without some level of presidential leadership -- and it will be even more difficult if senior administration officials are leery of even discussing cyber issues for fear of stepping into the Russia controversy.
Democrats on the intelligence panel repeatedly asked Comey on Thursday whether Trump had ever inquired about the strategic issues raised by the Russian hacks, to which Comey said, “No.”
And Attorney General Jeff Sessions' recusal from matters related to the Russia probe could remove from certain discussions an administration figure who has an important statutory role on cyber policy.
On the other hand, a business community source said, “Most cyber watchers aren't expecting Congress to make major legislative moves” this year.
In particular, stakeholders are not looking to the Senate Intelligence Committee for policy action this year, whereas up through the end of 2015, that committee was ground zero in the debate over cyber information-sharing, the top legislative priority at the time for many business groups.
“Senate Intelligence is at the center of the political storm” over the Russia hacks, said a business source. “Fortunately ... no major cyber bills are on the horizon that could get snared.”
But Democrats on the Senate Intelligence Committee are making the argument that the key policy issues in cyberspace are coming to a head in the Russia probe.
“We're here because a foreign power attacked us here,” said Senate intelligence ranking member Mark Warner (D-VA). The “cyber attacks” were “aimed at undermining faith in our institutions,” he said, adding, “We must determine what [the Russian government] did . . . [and] steps to avoid it happening again."
Republicans on the committee focused their questioning of Comey on whether any laws were broken during the ex-director's encounters with Trump, trying to build a narrative that the president never crossed any legal lines related to the Russia probe or the firing of Flynn.
But they too acknowledged the substantial policy implications of Russia's aggressive and ongoing cyber activities.
Intelligence Chairman Richard Burr (R-NC) said the 2016 hacks and other activity “may have been aimed at one party, but in 2018, 2020 and beyond, it could be aimed at anyone."
Burr promised “unified bipartisan effort” to address those challenges.
What are the Issues at play?
One question that policymakers must grapple with is how cyber attacks are attributed and the related question of how the U.S. articulates a cyber policy that actually deters aggression by spelling out the consequences for state-sponsored hacks.
The latter is of intense interest to the business community -- which wants the government to assume a fuller share of responsibility when it comes to addressing foreign aggression in cyberspace.
“There’s so many other distractions beyond the probe, I’m not sure the probe is the lone distraction,” said one source active in the info-sharing community. But one potentially positive impact from the controversy is a renewed discussion on attribution of attacks, the source said.
“My sense is that this [Russia probe] topic is too political to even have a reasoned discussion on attribution,” the source said. “Your mind is made up based on what side of the aisle you are on.”
However, the Russia controversy and the WannaCry ransomware attack “have at least raised the topic of the challenges with attribution,” according to the source, who added that “potential new priorities could come from whatever comes out of WannaCry after action reporting” expected to be completed this month.
Another question, as yet unaddressed, is whether the vaunted information-sharing law enacted at the end of 2015 played any role in limiting the damage from Russia's sophisticated intrusions. So far, no one from intelligence or homeland security circles is saying.
That's been an ongoing issue in evaluating the effectiveness of the Cybersecurity Act of 2015: Its successes go largely unreported, out of operational necessity, while successful cyber attacks against U.S. targets can be portrayed as a sign that the law and related programs aren't working.
The Department of Homeland Security has acknowledged that its program for sharing cyber threat information with the private sector remains a work in progress -- which critics say is a vast understatement. And key players in the private sector say their info-sharing efforts are evolving and improving largely separately from anything the government is offering.
Some of this could be addressed in legislation by House Homeland Security Chairman Michael McCaul (R-TX) to centralize DHS' cyber functions, but so far this year there has been little effort to address the panoply of pressing cyber issues in any kind of comprehensive fashion.
Based on the Snowden experience, we won't get to that point until the Russia investigation is in the rearview mirror.
The investigation may, ultimately, help frame the policy issues that must be addressed, but it isn't going to happen anytime soon. -- Charlie Mitchell, editor, Inside Cybersecurity