Senators ask what OPM hack means for global cyber relations

Lawmakers want more clarity from the State Department on how breaches, including the Office of Personnel Management hack, affect the push to establish cybersecurity norms with countries such as Russia and China.

"I want greater clarification on our goals, on our cyber policies, our protocols," Sen. Ben Cardin (D-Md.), ranking member of the Foreign Relations Committee's East Asia, the Pacific and International Cybersecurity Policy Subcommittee, told FCW after a hearing on international cybersecurity strategy.

In testimony before the subcommittee on May 25, Christopher Painter, coordinator for cyber issues at the State Department, said the agency is actively working to implement the cyber strategy the Obama administration introduced in 2011.

"We need to promote and create expectations on what these agreements mean and [what] the consequences will be," he said. That includes further engaging with countries such as Russia and China, which lawmakers brought up repeatedly during the hearing.

"We really don't seem to be pushing them to the dialogue needed to stop their bad behavior, and that's why we probably ought to look at a change in models," Subcommittee Chairman Sen. Cory Gardner (R-Colo.) told FCW after the hearing. He said it is important to reach agreement with like-minded nations and not give in to adversaries that have been identified as the key suspects in major hacks, such as those that targeted Sony and OPM.

Gardner added that the 2011 cyber strategy has not been modified to reflect the actions taken by Russia and China, and therefore "more needs to be done."

Cardin echoed his colleague's remarks by saying that any hack on American government systems should be "protected in Internet Protocol."

"We have to have clear policies that using cyber in certain ways will put on the table all responses by the United States, including invoking the self-defense under the United Nations charter," Cardin said.

Painter told lawmakers that the State Department wants other countries to know what the consequences would be for violating any of the agreements or norms that have been adopted. He cited the example of the U.S./China cybertheft agreement reached in September 2015 as an example of modest progress in this area.

Gardner asked whether Painter's role should be raised to the level of special envoy or ambassador and added that he has co-sponsored an amendment to the National Defense Authorization Act that would elevate U.S. Cyber Command to a unified combatant command.

Gardner told FCW his amendment was important because "this is the ballgame going forward." The House version of NDAA, which the Obama administration has threatened to veto, includes a similar provision.

Painter argued that creating any type of red lines in cyberspace gives adversaries the incentive to "creep up to the clear red lines" without crossing them. By contrast, voluntary, agreed-upon norms encourage good behavior.

"If observed, these stability measures -- which are measures of self-restraint -- can contribute substantially to conflict prevention and stability," Painter said.