The U.S. government has spent years shoring up its cyber defenses but continues to grapple with how it should deter and respond to attacks, key officials said Jan. 5.
“We have a lot more work to do to put the right deterrence and response framework in place on cyber,” said Marcel Lettre, undersecretary of defense for intelligence, who testified at a Senate Armed Services Committee hearing on foreign cyber threats. “The next administration would be well-served to focus very early” on continuing to develop a comprehensive, overarching policy.
Adm. Mike Rogers, commander of U.S. Cyber Command and director of the National Security Agency, told the committee that the U.S. government needs to become faster and more agile to keep pace with rapidly changing threats.
“The biggest frustration for me is speed, speed, speed,” Rogers said. “We can’t be bound by history and tradition here. We have to be willing to look at alternatives.”
Sen. John McCain (R-Ariz.), the committee’s chairman, said the U.S. government currently seems to determine its response to cyber attacks on a “case-by-case basis”, which is “not a strategy.” McCain said his panel plans to hold more hearings in the coming months to explore a host of cyber questions, including when a military response to cyberspace aggression is appropriate and whether cyber-related entities in the executive branch and Congress should be reorganized.
“I don’t think that any of our people know, if they see an attack coming, what specific action should be taken,” McCain said. “I’ve asked time after time, ‘What do you do in the case of an attack?’ And there’s not been an answer.”
Director of National Intelligence James Clapper cautioned that a “direct cyber retaliation” is not always the best response to a cyber attack. Other tools, such as sanctions recently imposed in response to Russian hacking of U.S. political organizations, may sometimes present fewer complications, he told lawmakers.
“If you launch a counter-cyber attack and…you have to use some other nation’s infrastructure in order to mount that attack, that gets into…complex legal issues involving international law,” Clapper testified.
According to a joint written statement by Lettre, Clapper and Rogers, foreign cyber threats continue to grow, with more than 30 nations developing offensive cyber attack capabilities. Adversaries are showing increasing interest in mounting cyber attacks on critical infrastructure and information networks to bypass traditional defenses.
“Russian officials, for example, have noted publicly that initial attacks in future wars might be made through information networks in order to destroy critically important infrastructure, undermine an enemy’s political will, and disrupt military command and control,” the trio wrote.
While China, Iran, North Korea and terrorist groups are all considered “cyber threat actors,” Russia retains the most advanced capabilities, the statement says. Clapper, who has been leading an intelligence community review of Russian interference in the 2016 U.S. presidential election, said he plans to release a report on the review’s findings early next week.