U.S. Intelligence Chiefs Testify on Cyberthreats to Nation

The U.S. government has no cohesive or detailed retaliatory response to the increasing number of cyber attacks against national interests and security, a shortcoming that top U.S. intelligence leaders said disrupts the development of a deterrence framework.

The government struggles to effectively derail nation-states and cyber intruders that repeatedly have highlighted U.S. vulnerabilities in a string of notorious incidents, officials testified Thursday at a Senate committee hearing on foreign cyberthreats to the United States.

While much of the Senate Armed Services Committee hearing focused on Russia’s interference during the U.S. presidential electoral process, lawmakers and panelists highlighted other notable breaches to underline the limitations, including China’s breach of the Office of Personnel Management that exfiltrated the sensitive records of 22 million federal employees and North Korea’s hack of Sony Pictures Entertainment emails.

The lack of retaliation—at least as far as the public is aware—undermines U.S. credibility to stave off future intrusions, lawmakers offered during the hearing.

These same shortcomings are highlighted in a new report written by AFCEA’s Cyber Committee. “Our current situation leaves us in a state of conflicting policy and strategy, with a lack of coordinated preparation and response,” warns the report, titled Key Cyber Issues and Recommendations: A Way Forward. “Defining authorities and creating normalized terminology for a whole-of-nation approach will put the country on a stronger footing to address our national security, including economic security.”

A comprehensive cyber strategy and policy, which includes diplomatic, military, legal and private industry input, “must translate into actual measurable practices, with the agility to adjust and/or discontinue, if necessary,” the report states.

Beyond the exfiltration or the “weaponizing” of the information, officials worry about more serious threats looming on the horizon, they said. “What happens when we see people manipulating our networks so that we can’t believe the data we’re looking at?” asked Adm. Michael Rogers, USN, commander of U.S. Cyber Command and director of the National Security Agency (NSA). “That would be a real, fundamental game changer. It’s only a question of the ‘when’ not the ‘if’ that this is going to happen.”

The United States faces security challenges posed by near-peer nations such as China and Russia, which easily could cripple the nation’s critical infrastructure with devastating results, they testified. Not far behind with increasingly sophisticated attacks are Iran, North Korea and global terrorist groups such as the Islamic State of Iraq and the Levant (ISIL) and al-Qaida.

The world does not seem intimidated by the United States, lawmakers admonished.

“It concerns me that we really don’t know what the deterrence ought to be,” said Sen. Roger Wicker (R-MS), echoing worry expressed by committee chairman Sen. John McCain (R-AZ). "What do you do in the case of an attack?" McCain asked. "There's not been an answer."

It’s a worry that troubles top government officials as well, they testified. “How do we convince nations and other actors out there that there is a price to pay for this behavior—that in fact, it is not in your best interest,” Rogers said.

Countering a cyber attack with technology is not the only retaliation that should be considered, Director of National Intelligence James Clapper offered. “When something major happens in cyberspace, our automatic default policy position should not be exclusively to counter cyber with cyber,” Clapper said. “We should consider all instruments of national power” to include imposing sanctions or addressing diplomatic relations.

The U.S. government must continue to develop and refine its national cyber policy framework, which includes the evolution of all dimensions of a deterrence posture, and build up the “ability to deny the adversary its objectives, to impose costs and to ensure we have a resilient infrastructure to execute a multi-domain mission,” said Marcel Lettre II, undersecretary of defense for intelligence.

“If we’re looking for the perfect solution, there isn’t one,” Adm. Rogers added. “This will be a variety of incremental solutions and efforts that are going to play out over time.”

While there is great interest now in Russia’s interference with the U.S. presidential election, the cyber incident only skims the surface of much larger vulnerabilities, shared Clapper, 15 days from retirement. “Adversaries are pushing the envelope since this is a tool that doesn't cost much and sometimes is hard to attribute,” Clapper said.

The Defense Department has three key cyber-based missions: defending DOD networks, providing cyber operations for military commanders and “when called upon by our nation’s leaders, defending the nation against cyber attacks of significant consequence,” Lettre said. The military is countering the prospect of Russian aggression and coercion, especially in Europe, while managing a historic pivot to the Asia-Pacific region, he offered.

Officials want to strengthen partnerships between the government and industry and “find the right balance to enable the intelligence community and law enforcement to operate while still respecting the rights to privacy,” Clapper said. Already, the government is leveraging the “rapidly advancing commercial encryption capabilities that will have profound effects on our ability to detect terrorists and their activities.”

And while information sharing between the government and businesses has improved, particularly following Congress’ passage of legislation in 2015, the sharing and onus of securing networks remains uneven, Clapper added. “The private sector needs to up its game on cybersecurity and not just wait for the government to provide perfect warning or a magic solution,” Clapper said.