Cyber Policy

How far is too far in cyber defense?

cyber attack button

If it seemed that the national debate over federal cybersecurity authorities was obscured by the recent dizzying few weeks of sensational news, think again. The issue is inextricably linked to the furor over National Security Agency surveillance activities, and Capitol Hill testimonies and behind-the-scenes legislative action also are fueling deliberations over how far agencies can go in cyberspace.

Confusion and worry have not lessened. In addition to the question of boundaries, the debate concerns questions such as which agencies should lead national cybersecurity efforts, what role industry should play and even what constitutes cyber warfare. The most obvious solution is passing laws to address those questions, but that has proven to be impossible, to date, in a sharply divided Congress.

Insiders say it is a bit of a circular problem: Uncertainties remain because there are no defined laws, but lawmakers have been unable to pass laws amid ongoing debate over the uncertainties. Meanwhile, special authorities are being used as cyber threats continue to evolve, particularly by the Defense Department and intelligence agencies.

"The rapid increase in cyber espionage and disruptive attacks has captured the fears of national security officials. DOD, with its long-standing role in defending the nation, appropriately has become ever more seized, in part because of the challenges they see directly," said Greg Rattray, CEO of Delta Risk and former White House director for cybersecurity, at an Atlantic Council event in Washington on June 17. "The desire to have DOD figure that role out, figure out what Cyber Command should do in defense of not just DOD networks, but more broadly the nation, is very active. Everyone is sort of jumping forward to play as much of a role as they can because the fears are high."

Outside Congress, orders for conducting militarized cyber operations have been in place at least since last fall. Specifics of the top-secret Presidential Policy Directive 20, a memorandum authorizing military activities in cyberspace, emerged in recent days as part of the leak of classified NSA information. The directive includes definitions of the cyber environment and various operations, as well as provisions for the use of cyber operations and descriptions related to their use.

"The United States has an abiding interest in developing and maintaining use of cyberspace as an integral part of U.S. national capabilities to collect intelligence and to deter, deny, or defeat any adversary that seeks to harm U.S. national interests in peace, crisis, or war," the directive states, according to text published by The Guardian. "Given the evolution in U.S. experience, policy, capabilities, and understanding of the cyber threat, and in information and communications technology, this directive establishes updated principles and processes as part of an overarching national cyber policy framework."

That framework, however, is far from complete. Although the House passed the Cyber Intelligence Sharing and Protection Act in April and is said to be close to unveiling another measure that codifies the Department of Homeland Security's role as government cybersecurity lead, the Senate has yet to follow suit. The efforts come after legislation failed to pass last year, hamstrung by disagreements over privacy concerns and industry regulations. Provisions regarding the role of the private sector have proved a particular sticking point.

"The bigger issues -- the privacy issues, the business issues -- [are] what I understand really led to the breakdown in your efforts here on the Hill in trying to find compromise legislation last December. That yet needs to be bolted together," Defense Secretary Chuck Hagel told the Senate Budget Committee on June 12. "When you veer out in the private sector, how far you can go, what legal authorities you have, what laws govern that, are, I think, the large areas of some contested debate."

It's an ongoing debate that officials acknowledge is taking place throughout Washington between legislators, decision-makers, and members of industry and academia, even as fears of cyberattacks continue to mount.

"You can see in the discussions coming out of the White House and senior Pentagon circles that there's a significant amount of brainpower being directed toward figuring out the decisional process that would govern cyber conflict or, for that matter, even defining when it exists," Rep. Jim Langevin (D-R.I.) said at the June 17 Atlantic Council event.

"You can see in the discussions coming out of the White House and senior Pentagon circles that there's a significant amount of brainpower being directed toward figuring out the decisional process that would govern cyber conflict or, for that matter, even defining when it exists," Rep. Jim Langevin (D-R.I.) said at the June 17 Atlantic Council event.

"You can see in the discussions coming out of the White House and senior Pentagon circles that there's a significant amount of brainpower being directed toward figuring out the decisional process that would govern cyber conflict or, for that matter, even defining when it exists," Rep. Jim Langevin (D-R.I.) said at the June 17 Atlantic Council event.

Langevin noted that persistent Chinese cyber espionage, the attacks on Saudi Aramco and cyber warfare taking place on the Korean peninsula point to an increasingly volatile environment that can blur the battle lines -- and that demand effective action. "There's already technically a state of war" on the Korean peninsula, he said. "These attacks point to cyber threats not only existing but evolving in new ways."

Note: This article was updated on June 19 to clarify the focus of Rep. Langevin's remarks.

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Wed, Jun 19, 2013

The problem that is creating much of the controversy is the difference (very little) between cyber espionage and gathering information. When the Fed is now "gathering information" on law abiding U.S. citizens, one has to wonder if the Government has started to wander outside their role of protector and into the role of agressor. We have concerns about Chinese cyber espionage and then discover that the Fed is engaging in some of the same activity against us in order to "protect us". One begins to wonder if some of cyber defense we get is really about defense or about some other objective. Throw in the latest scandal about the IRS and suddenly a lot of people start to get skeptical of getting enhanced "cyber defense".

Wed, Jun 19, 2013

So in fear and paralysis we let Congress decide that the 4th amendment doesn't apply. And now Congress lets the government (NSA et al) collect everything it can on everybody, then later ask for permission (a warrant) to go look at that data. Collect now, sieze later; Search now, accuse later; Seems a slippery slope. The founding fathers warned of that tyranny whether exercised by a divine-right king or political-elitists. Not that I encourage terrorism or other attacks, but the American people need to be educated and ready to resist such attacks without the government playing big-brother and nanny. If we were exposed to the threat a bit more we might understand the value strengthening states right and in not letting foreigners (and the NSA) use our system of freedom against us. And if it works so well, what happened in Ft. Hood or in Boston? It does not seem worth the price, sacrificing a little freedom for a little security. We will end up with neither.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above