If the number of hearings held are any sign, it’s clear lawmakers are worried about the U.S. government’s delay in adopting a cyber-defense policy in the wake of last week’s agreement with China. The Senate Armed Services Committee was the first to express their concerns Tuesday, and there are three more congressional hearings this week on the same topic.
The issue comes into focus after President Obama reached a “common understanding” on cyber conduct with Chinese President Xi Jinping last week. Separately, lawmakers are also anticipating reconsideration of a Senate’s cybersecurity bill sometime this fall.
The Armed Services Committee brought some heavy hitters to testify, with Director of National Intelligence James Clapper, Deputy Secretary of Defense Robert Work and Director of the National Security Agency Admiral Michael Rogers at the witness table. Work and Rogers are slated to appear before the House Armed Services Committee on Wednesday.
Committee members grilled these top defense officials about the Obama administration’s failure to implement a specific cyber defense policy, even though the National Defense Authorization Act for 2014 required the administration to write a plan in the event the government is hit with a cyber attack.
“One of the things that’s been disappointing to the committee is that in the…defense authorization bill, it required the president to develop an integrated policy. It’s now a year late,” Committee Chairman John McCain (R-Ariz.) said. “As far as I know and the committee knows, there has been no specific policy articulated.”
McCain’s disappointment is a likely preview of the sentiment at Wednesday’s House Armed Services hearing. House Armed Services Committee Chairman Rep. Edward Royce (R-Calif.) and Rep. Michael McCaul (R-Texas), a member of that committee and chairman of the Homeland Security Committee, jointly signed a letter to Obama in February 2015, following cyberattacks on Sony and health insurer Anthem.
The letter asked many of the same questions that arose in Tuesday’s Senate hearing. How does the U.S. government define an act of cyber war? How does it assess an appropriate response to an act of cyber war? Which agency is in charge of making these assessments? Royce and McCaul haven’t received a response to their letter.
At Tuesday’s hearing, Work offered a defense of lawmakers’ critiques. “Just because we have not published our policy…does not mean that if we had an attack tonight, that we do not have the structure in place right now with the national security team to get together to try to understand who caused the attack, to understand what the implications of the attack would be, and what response we should take,” Work said. “Those are in place right now.”
“The whole point of the response is deterrent so the attack won’t occur,” retorted Sen. Angus King (I-Maine). “Dr. Strangelove taught us if you have a doomsday machine and nobody knows about it, it’s useless.”
Deterrence is another concept that could arise in future cybersecurity discussions. The government currently doesn’t have a policy that explicitly states what the U.S. would do to curb future cyber attacks. That didn’t sit well with lawmakers. “The idea that we can continue to simply defend and never have an offensive capability, I just think is ignoring this enormous threat,” King said.
He then asked the panel if the U.S. needs an offensive cyber capability to deter incoming cyber attacks. Each member of the panel said yes, except for Clapper, who said, “Absolutely.”
Administration officials insisted that deterrents don’t need to be counter cyber attacks. They could come in the form of sanctions or other threats as well. Clapper said he believed the threat of sanctions against China played a big role in bringing the Chinese government to an agreement on cybersecurity. “It appears that the threat of potential economic sanctions, particularly imposing them right before the visit of President Xi, got their attention,” Clapper said.
Lawmakers then questioned the validity of the deal with China, asking whether the Chinese can be trusted to uphold their end of the bargain. Work clarified that it is not a treaty or deal, but a test to see if China means what it has said about its commitment to behaving in the cyber world.
“I would characterize the agreement that we have as a confidence building measure with the Chinese, where we are asking them to prove to us that they are serious about what they say about what they will do to control these efforts,” Work said. “It’s for us to find out if China is going to act responsibly.”
China and the United States have agreed to give each other give timely responses when the other believes a cyber crime has taken place and to not knowingly conduct cyber theft of intellectual property. They have also agreed to promote international norms in cyberspace and to hold meetings twice a year to asses the pact’s efficiency.