'I think we need to throw a few stones'
The U.S. is still searching for a cyber deterrence policy and strategy, and former senior officials say there can’t be a strategy without better cyber defense and resilience.
In a packed hearing room on May 11, the heads of six intelligence and law enforcement agencies briefed the Senate Intelligence Committee on global threats facing the U.S. The lengthy session frequently veered off into political intrigue around the firing of FBI Director James Comey and the ongoing investigation into ties between Trump associates and Russia.
Yet while cyber topped the list of threats discussed in the annual hearing, the topic received a more thorough evaluation at a Senate Armed Services Committee hearing taking place at the same time.
With not a single spectator in the room, former officials from the military and intelligence community warned of the need to improve U.S. cyber defenses and resilience and to develop a doctrine of cyber deterrence.
Committee Chairman John McCain (R-Ariz.) opened the hearing with a familiar refrain of his.
“No matter how well organized and prepared the Department of Defense may be, glaring gaps in our national cyber policy, strategy and organization undermine our ability to defend the homeland and deter those seeking to undermine our national security in cyberspace,” he said.
“To me, the first order of business is defense and resilience,” said former Director of National Intelligence James Clapper. He argued that unless the U.S. has confidence in its ability to withstand a counter-retaliation, it will be impossible to develop a deterrence strategy.
“This applies not just to the federal government writ large,” he added, “but applies equally to people sitting in the White House situation room or boardrooms.”
Retired Adm. James Stavridis, dean of the Fletcher School of Law and Diplomacy, testified that the U.S. lacks both the capability and credibility to effectively deter adversaries.
He said the U.S. should create an independent cyber force in the military as a long-term show of force.
“In addition to signaling our long-term commitment to defending our interests in cyberspace, we must also signal both the capability and the will to project cyber force across the globe,” he added.
Both Stavridis and former National Security Agency Director Michael Hayden argued that the U.S. must demonstrate its offensive cyber capability and start creating international case law around the use of cyber force.
Stavridis posed the idea of punishing Russia by altering the bank accounts of Putin and his associates or simply revealing the account information to the Russian people. “That kind of reveal, I think, would have a salutary effect.”
Hayden said another step would be to “attack the foundations of Russian autocracy” by releasing anonymizing tools to allow citizens and dissidents to avoid the surveillance of the Russian government.
“I'm all for doing this, but there needs to be due consideration for what the counter retaliation might be,” Clapper warned. “They might not react in kind.”
“We do live in a glass house, [but] I think we need to throw a few stones or we're going to see more and more of this, and it will ratchet up over time,” Stavridis said.
The three witnesses agreed that the U.S. must increase cybersecurity education across the government and private sector and that the intelligence community should declassify and share more timely and relevant information with the private sector.
Hayden emphasized that the traditional model of the government leading the private sector in security does not apply in the cyber domain.
He said industry needs to be liberated and unleashed because in all but the most extreme cases, “we're going to win or lose a cyber engagement based upon the private sector's performance.”
Where the three former officials differed most in their testimony was on how the government should align itself around cyber.
Stavridis proposed vesting cyber authority in a high-level official such as a cabinet secretary for cyber or a director of national intelligence for cyber.
Hayden said that the U.S. Coast Guard is an intriguing model because it is a combination law enforcement, first response, public safety, educational and combat entity.
“It straddles government and private sector,” he said. “We really do have to do that in terms of cybersecurity.”
Clapper dissented from the view that the U.S. needs a substantial reorganization around cyber, saying that the current structure can work as long as each component of the government has clearly defined authorities and resources. The only significant change he advocated is the split of the NSA and U.S. Cyber Command.
“NSA is a crucial component of the intelligence community, and I don't believe it's healthy for it to be essentially subordinated to a sub-unified command in DOD,” he added.
NEXT STORY: How Do You Protect a Helicopter From a Hacker?