There is widespread agreement within industry and government that the United States needs to strengthen its position for deterring cyber attacks from foreign adversaries, yet the process for developing such a widely supported policy remains unresolved even after years of debate, legislative action and an administration intent on demonstrating a get-tough resolve in countering cyber threats.
The lack of an effective U.S. deterrence policy negotiated with like-minded allies was highlighted in a recent speech by Sen. Mark Warner (D-VA), billed as a “New Doctrine for Cyberwarfare and Information Operations.”
“Little progress has been made,” said Warner in referring to disagreements by the U.S., China and Russia over the role of international law in cyberspace at the United Nations in 2017.
“We should be linking consensus principles of state behavior in cyberspace explicitly with deterrence and enforcement policies,” argued Warner, the top Democrat on the Senate Intelligence Committee and widely considered a potential presidential candidate in 2020.
Warner has taken a hard line with the Trump administration, which has issued a number of cybersecurity strategies in the past several months -- and which Warner has said lack cohesion and a sense of follow through.
“We need to have a national conversation about the defensive and offensive tools we are willing to use to respond to the ongoing threats we face. In short, we need to start holding our adversaries accountable,” Warner said at the Center for Strategic and International Studies on Dec. 7. “Failing to articulate a clear set of expectations about when and where we will respond to cyberattacks is not just bad policy, it is downright dangerous. We are allowing other nations to write the playbook on cyber norms.”
Warner's frustrations over the lack of a cohesive cyber deterrence strategy come as the Department of the Homeland Security is standing up the National Risk Management Center with its leaders suggesting the department's pivot to strategic risks will drive up costs for adversaries and deter cyber attacks.
The new center's work will make cybersecurity part of our “national security decision making to deter” and “punish” our adversaries, said NRMC Director Robert Kolasky at a meeting of industry and government officials hosted by technology consulting firm ICF International last week.
Kolasky said the center will help deter cyber threats “by better defining what is unacceptable to us” and hardening critical infrastructure by identifying core functions and prioritizing protections from risks to systems relied upon across industries.
He said industry has a responsibility to defend its systems, but when it comes under attack from a nation-state adversary industry needs to know “we stand with them.”
For its part, the Defense Department is taking a more active role in protecting critical businesses traditionally not viewed as part of the defense industrial base, a move that has the support of both Congress and President Trump.
The annual defense authorization law enacted in August calls on the Pentagon and the White House to develop a cyber deterrence strategy, after years of frustrations among lawmakers who accused the previous administration of failing to develop such a get-tough strategy.
“It shall be the policy of the United States, with respect to matters pertaining to cyberspace,cybersecurity, and cyber warfare, that the United States should employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond to when necessary, all cyber attacks or other malicious cyber activities of foreign powers that target [the] United States,” according to the National Defense Authorization Act for fiscal 2019.
The law called on the White House to submit a report to Congress “on the policy of the United States on cyberspace, cybersecurity, and cyber warfare,” which was sent to Capitol Hill in October.
“The United States will launch an international Cyber Deterrence Initiative to build such a coalition and develop tailored strategies to ensure adversaries understand the consequences of their malicious cyber behavior,” the White House wrote in the unclassified version of its strategy to the Hill.
“The United States will work with like-minded states to coordinate and support each other’s responses to significant malicious cyber incidents, including through intelligence sharing, buttressing of attribution claims, public statements of support for responsive actions taken, and joint imposition of consequences against malign actors,” the Trump administration pledged in indicating such a strategy continued to be a work in progress.
“Despite a flurry of strategy documents from the White House and DOD, the federal government is still not sufficiently organized or resourced to tackle this hybrid threat,” Warner charged in his speech.
“We have no White House cyber czar, no cyber Bureau or senior cyber coordinator at the State Department. And we still have insufficient capacity at State and DHS when it comes to cybersecurity and disinformation,” Warner warned in referring to Trump's decision in May to eliminate the cyber czar position elevated by former President Obama.
It's not likely the cyber czar post will be re-established anytime soon, but federal law requires for the first time that a cyber deterrence strategy be developed, even while its development is in its initial phase, according to the White House strategy. -- Rick Weber (rweber@iwpnews.com)