McCain continues push for cyber policy

Sen. John McCain (R-Ariz.), chairman of the Senate Armed Services Committee, is running out of patience when it comes to U.S. formulating what he considers an effective cyber strategy.

"This committee has not been shy about expressing its displeasure over the lack of policy and strategy for deterring, defending against and responding to cyberattacks," McCain said at a March 2 hearing on cyber strategy and policy.

"I have yet to find any serious person who believes we have a strategic advantage over our adversaries in cyberspace, and in fact many of our civilian and military leaders have explicitly warned the opposite," said McCain, who added that his committee will continue to pressure the Trump administration to develop a "cyber strategy that represents a clean break from the past."

McCain has been one of the leading voices for the U.S. to develop a muscular cyber deterrence policy and to take more aggressive action against Russia for its hacking and information operations directed at the 2016 presidential election.

But if McCain and other senators were hoping witnesses at the hearing to provide a silver bullet solution to deterrence and U.S. cyber policy, they were left wanting.

"The unfortunate reality is that for at least the next decade, the offensive cyber capabilities of these major powers are likely to far exceed the United States' ability to defend essential critical infrastructure," said Dr. Craig Fields, chairman of the Defense Science Board, and board member Dr. Jim Miller in their prepared testimony.

Retired Gen. Keith Alexander, former head of the National Security Agency and U.S. Cyber Command, said that despite recent efforts to clarify roles and responsibilities in government and the private sector in response to a cyber attack, stovepipes and confusion remain, and the U.S. still lacks both a strategy and a system to test and refine a strategy.

Alexander said the Department of Homeland Security, law enforcement agencies, the intelligence community and the Department of Defense need to be brought together under one framework.

"Before we do that, I would highly recommend that we get those four groups together and practice," he said. "We haven't done that, so what you have is people acting independently and with those seams, we will never defend this country."

A number of senators argued the U.S. needs a more aggressive deterrence policy in the face of Russia and other actors. The panelists, however, said that while there is a need for a more clearly defined and "declaratory" set of responses that will raise the cost on adversaries and deter them from attacking, the U.S. still needs to raises its defenses and resiliency.

"I do think we have to push back overtly so that the rest of the world knows that, but we also need to fix our defense," said Alexander. "It's wide open, and what happened and what's happening, people can get in and take what they want."

Sen. Angus King (I-Maine) argued that if the U.S. can't defend itself, then deterrence is the only option. He asked the panelists if the necessary reforms can be made by the executive branch or whether legislation is necessary.

"I do believe there is a solution out there where government and industry could work together and provide a much better defensible architecture," said Alexander.

Alexander said the U.S. has been talking about cyber policy for years, but has not moved forward with creating rules of engagement and training in the government. He said Congress and the executive branch need to stop having the same conversation every year and move forward with reforms.