30 January 2017

Can Congress help boost US digital defenses?

Kevin Lamarque

After US intelligence officials blamed Russia for interfering in November's vote, a new Senate subcommittee will help the Defense Department build up its digital arsenal for the next generation of cybersecurity threats. 

JANUARY 25, 2017 —President Trump isn't the only person in Washington pledging to revamp the nation's approach to cybersecurity. 

The new commander-in-chief has tasked former New York Mayor Rudy Giuliani with forming a team to boost US digital defenses, and Congress wants to help the Pentagon streamline its computer attacking and defending capabilities. 

Earlier this month, Senate Armed Services committee chairman John McCain (R) of Arizona tapped Sen. Mike Rounds (R) of South Dakota to lead a new subcommittee that will oversee the Pentagon's potential efforts to shake up the cybersecurity bureaucracy and prepare for a new generation of digital threats from Moscow, China, and Iran. 

“This is an ever-changing environment that puts challenges on our Defense Department and intelligence communities,” Mr. Rounds told Passcode. “As our adversaries and competitors continue to improve, we have to offer deterrence.”

Though Mr. McCain and Rounds have not outlined a specific agenda for the subcommittee, scheduled to begin hearings later this year, President Obama signed a budget in December that promises big changes to how the Pentagon handles cybersecurity. The 2017 National Defense Authorization Act (NDAA) would elevate Cyber Command to a fully fledged combatant command and decouple the military unit from the National Security Agency.

It's not clear yet whether the Trump administration will implement those changes. Rounds told Passcode that he hasn't made up his mind about splitting the roles, but said having NSA Director Adm. Michael Rogers in both positions since 2014 "had some advantages."

On the heels of a report from the Office of the Director of National Intelligence that blamed Russian President Vladimir Putin for ordering an elaborate campaign to sway November’s election in favor of Mr. Trump, Congress could also help establish rules of the road for cyberwarfare. The NDAA also included legislative language proposed by Rounds that aims to clarify the definition of war in cyberspace and the kinds of weapons the Defense Department could use to respond to digital attack.

“The critical part for us is in the future, if we clearly define what we define to be unacceptable and we clearly back it up with not just the red line but back it up with impactful responses,” Rounds said. “If we’re going to war, we expect the president to say so. Commanders on the ground should have the ability to defend their troops. Are other domains available to respond to a cyber attack?”

Follow Passcode!

Cybersecurity news and analysis delivered straight to your inbox.

Like members of Trump’s incoming cabinet, also Rounds appears to be more bullish than the president in condemning alleged Russian hacks of the Democratic National Committee and other political organizations.

"Russia clearly was responsible for getting into DNC and Secretary Clinton’s campaign infrastructure and they were able to steal information," said Rounds. "They tried to influence elections using propaganda in the past, this time they were overtly trying to create a lack of confidence."

The Russia issue will get more air time in Congress this session. The Senate Intelligence Committee, led by chairman Richard Burr (R) of North Carolina, plans an investigation of suspected Russian interference.

Congress may have also have an opportunity to guide how the Pentagon classifies cyberattacks as acts of war, and how to respond to damaging digital assaults, says Dave Weinstein, a former civilian official at Cyber Command, who currently serves as New Jersey's chief technology officer.

“Here’s what constitutes an offensive cyberoperation, here is a defensive cyberoperation, here is where a line of code constitutes a weapon," he says. "Those types of norms and that strategy guidance coming from Congress is critical, otherwise the military will write its own rules.” 

Rounds says he also sees a possible role for the subcommittee and the Defense Department in protecting critical infrastructure – a mission that was often handled by the Department of Homeland Security during the Obama administration. 

"What if it is a private company's assets that are being attacked? At what point does the Department of Defense step in – or are these companies on their own such as when Sony was hacked," he said.

The evolution of Cyber Command will likely become prove a key focus for members of Congress focused on national security, especially as the threat of cyberattacks continues to grow in the US and abroad.

"Cyber Command is being treated more and more like [Special Operations Command], not just in terms of having warfighting authority, but in terms of having resource authority," says Michael Sulmeyer, director of the Cyber Security Project at Harvard University's Belfer Center and a former Pentagon official. "I think the Congress will want to have more than passing insight into how that develops.

No comments: