How far is too far in cyber defense?

If it seemed that the national debate over federal cybersecurity authorities was obscured by the recent dizzying few weeks of sensational news, think again. The issue is inextricably linked to the furor over National Security Agency surveillance activities, and Capitol Hill testimonies and behind-the-scenes legislative action also are fueling deliberations over how far agencies can go in cyberspace.

Confusion and worry have not lessened. In addition to the question of boundaries, the debate concerns questions such as which agencies should lead national cybersecurity efforts, what role industry should play and even what constitutes cyber warfare. The most obvious solution is passing laws to address those questions, but that has proven to be impossible, to date, in a sharply divided Congress.

Insiders say it is a bit of a circular problem: Uncertainties remain because there are no defined laws, but lawmakers have been unable to pass laws amid ongoing debate over the uncertainties. Meanwhile, special authorities are being used as cyber threats continue to evolve, particularly by the Defense Department and intelligence agencies.

"The rapid increase in cyber espionage and disruptive attacks has captured the fears of national security officials. DOD, with its long-standing role in defending the nation, appropriately has become ever more seized, in part because of the challenges they see directly," said Greg Rattray, CEO of Delta Risk and former White House director for cybersecurity, at an Atlantic Council event in Washington on June 17. "The desire to have DOD figure that role out, figure out what Cyber Command should do in defense of not just DOD networks, but more broadly the nation, is very active. Everyone is sort of jumping forward to play as much of a role as they can because the fears are high."

Outside Congress, orders for conducting militarized cyber operations have been in place at least since last fall. Specifics of the top-secret Presidential Policy Directive 20, a memorandum authorizing military activities in cyberspace, emerged in recent days as part of the leak of classified NSA information. The directive includes definitions of the cyber environment and various operations, as well as provisions for the use of cyber operations and descriptions related to their use.

"The United States has an abiding interest in developing and maintaining use of cyberspace as an integral part of U.S. national capabilities to collect intelligence and to deter, deny, or defeat any adversary that seeks to harm U.S. national interests in peace, crisis, or war," the directive states, according to text published by The Guardian. "Given the evolution in U.S. experience, policy, capabilities, and understanding of the cyber threat, and in information and communications technology, this directive establishes updated principles and processes as part of an overarching national cyber policy framework."

That framework, however, is far from complete. Although the House passed the Cyber Intelligence Sharing and Protection Act in April and is said to be close to unveiling another measure that codifies the Department of Homeland Security's role as government cybersecurity lead, the Senate has yet to follow suit. The efforts come after legislation failed to pass last year, hamstrung by disagreements over privacy concerns and industry regulations. Provisions regarding the role of the private sector have proved a particular sticking point.

"The bigger issues -- the privacy issues, the business issues -- [are] what I understand really led to the breakdown in your efforts here on the Hill in trying to find compromise legislation last December. That yet needs to be bolted together," Defense Secretary Chuck Hagel told the Senate Budget Committee on June 12. "When you veer out in the private sector, how far you can go, what legal authorities you have, what laws govern that, are, I think, the large areas of some contested debate."

It's an ongoing debate that officials acknowledge is taking place throughout Washington between legislators, decision-makers, and members of industry and academia, even as fears of cyberattacks continue to mount.

"You can see in the discussions coming out of the White House and senior Pentagon circles that there's a significant amount of brainpower being directed toward figuring out the decisional process that would govern cyber conflict or, for that matter, even defining when it exists," Rep. Jim Langevin (D-R.I.) said at the June 17 Atlantic Council event.

"You can see in the discussions coming out of the White House and senior Pentagon circles that there's a significant amount of brainpower being directed toward figuring out the decisional process that would govern cyber conflict or, for that matter, even defining when it exists," Rep. Jim Langevin (D-R.I.) said at the June 17 Atlantic Council event.

Langevin noted that persistent Chinese cyber espionage, the attacks on Saudi Aramco and cyber warfare taking place on the Korean peninsula point to an increasingly volatile environment that can blur the battle lines -- and that demand effective action. "There's already technically a state of war" on the Korean peninsula, he said. "These attacks point to cyber threats not only existing but evolving in new ways."

Note: This article was updated on June 19 to clarify the focus of Rep. Langevin's remarks.