Lawmakers are growing impatient with the Trump administration on the issue of cyber war, saying the United States lacks a clear policy for responding to attacks.
Frustrations over the lack of a comprehensive cyber policy boiled over during a Senate Armed Services Committee hearing on Thursday. The hearing ended with Chairman John McCainJohn Sidney McCainRubio asks Army to kick out West Point grad with pro-communist posts The VA’s woes cannot be pinned on any singular administration Overnight Defense: Mattis offers support for Iran deal | McCain blocks nominees over Afghanistan strategy | Trump, Tillerson spilt raises new questions about N. Korea policy MORE (R-Ariz.) issuing a veiled threat to subpoena the White House national security official responsible for coordinating cybersecurity policy across the federal government.
“We have authorities that I don’t particularly want to use,” McCain said. “But unless we are allowed to carry out our responsibilities to our voters who sent us here, we’re going to have to demand better cooperation and teamwork than we are getting now.”
McCain and other lawmakers have been clamoring since the Obama administration for a comprehensive policy for the U.S. government to deter and respond to cyberattacks.
The issue has gained greater attention in the wake of Russia’s interference in the 2016 presidential election, which involved targeting Democrats’ personal email accounts as well as state and local election systems.
On Thursday, top cyber officials from the Pentagon, FBI and Department of Homeland Security (DHS) were brought before the committee to answer questions about efforts to respond to threats to U.S. critical infrastructure from nation states, including Russia and North Korea.
One invitee was notably absent. McCain announced at the start of the hearing that the White House had blocked cyber czar Rob Joyce from testifying, citing executive privilege and “precedent against having nonconfirmed [National Security Council] staff testifying before Congress.”
While not unusual, Joyce’s absence drew fire from both Democrats and Republicans.
“The empty chair is outrageous. We had a foreign government go at the heart of our democracy,” said Sen. Claire McCaskillClaire Conner McCaskillKoch-backed group targets red-state Dems on tax reform Overnight Cybersecurity: Equifax security employee left after breach | Lawmakers float bill to reform warrantless surveillance | Intel leaders keeping collusion probe open Las Vegas highlights Islamist terrorism is not America’s greatest domestic threat MORE (D-Mo.). “I am disgusted that there isn’t a representative here that can address this.”
“I personally did not see this as an adversarial discussion today,” said Sen. Mike RoundsMarion (Mike) Michael RoundsOvernight Regulation: Trump temporarily lifts Jones Act for Puerto Rico | Bill would exempt some banks from Dodd-Frank | Senators unveil driverless car bill House sends FAA extension to Trump’s desk with hurricane tax relief Senate passes FAA extension without flood insurance provision MORE (R-S.D.), who lamented the lack of “cooperation” from Joyce. “I saw this as one in which we could begin in a cooperative discussion about how we take care of the seams that … we believe exist between the different agencies responsible for the protection of the cyber systems within our country.”
McCain told reporters after the hearing that the committee would meet to “discuss the issue” of potentially subpoenaing Royce.
Currently, cybersecurity authorities are spread across multiple agencies, including the departments of Defense, Homeland Security and Justice. Homeland Security is responsible for protecting federal civilian networks and critical infrastructure, while Cyber Command and the National Security Agency cultivate offensive cyber capabilities within the Pentagon.
Last year, lawmakers inserted language into annual defense policy legislation requiring the Pentagon to spell out the military and nonmilitary options for deterring and responding to malicious cyber activity. The report is supposed to trigger the Trump administration to stipulate what actions in cyberspace may constitute an act of war.
That report has not yet been completed, a top Pentagon official told senators on Thursday, despite the deadline that passed earlier this year.
“We will be submitting it to you shortly,” said Kenneth Rapuano, the assistant defense secretary for homeland defense and global security
“Shortly doesn’t make me feel better. Is that geologic time?” answered Sen. Angus KingAngus Stanley KingSenate confirms No. 2 spot at HHS, days after Price resigns Overnight Defense: Mattis offers support for Iran deal | McCain blocks nominees over Afghanistan strategy | Trump, Tillerson spilt raises new questions about N. Korea policy Mattis: Staying in Iran deal is of US national security interest MORE (I-Maine).
“If all we do is try to patch networks and defend ourselves, we will ultimately lose,” King continued. “Right now, we are not imposing much in the way of consequences.”
Officials acknowledged Thursday that, while agencies have made progress in coordinating cyber deterrence and response efforts, more work needs to be done.
“I would suggest that we’re getting there, that we’re working on the coordination,” said Christopher Krebs, a top official at DHS’s National Protection and Programs Directorate. “This is a battle that is going to be going on for many years. We’re still trying to get our arms around it.”
That didn’t do much to assure lawmakers who have demanded the administrations of Barack ObamaBarack Hussein ObamaAll five living former presidents to attend hurricane relief concert Overnight Health Care: Schumer calls for tying ObamaCare fix to children’s health insurance | Puerto Rico’s water woes worsen | Dems plead for nursing home residents’ right to sue Interior moves to delay Obama’s methane leak rule MORE and now Donald TrumpDonald John TrumpIvanka Trump pens op-ed on kindergartners learning tech Bharara, Yates tamp down expectations Mueller will bring criminal charges Overnight Cybersecurity: Equifax security employee left after breach | Lawmakers float bill to reform warrantless surveillance | Intel leaders keeping collusion probe open MORE set forth a comprehensive policy.
Senators particularly took issue with a chart dated January 2013 that officials circulated to committee members to explain the government’s efforts in cyberspace.
“To hand out a five-year-old chart as to how we are going to fix this situation is just — is totally, totally insufficient,” said Sen. Bill NelsonClarence (Bill) William NelsonSenate panel approves bill to speed up driverless cars Dems plan to make gun control an issue in Nevada Overnight Cybersecurity: Trump proclaims ‘Cybersecurity Awareness Month’ | Equifax missed chance to patch security flaw | Lawmakers await ex-CEO’s testimony | SEC hack exposed personal data MORE (D-Fla.).
But officials sought to spotlight the difficulties of developing a doctrine that spells out distinct consequences for actions in cyberspace.
“I think the challenge that we have that is somewhat unique in cyber is defining a threshold that then does not invite adversaries to inch up close but short of it,” said Rapuano. “Therefore, the criteria, it’s very difficult to make them highly specific versus more general, and then the downside of the general is it’s too ambiguous to be meaningful.”
Rapuano said that the cybersecurity executive order signed by Trump in May, which triggered a number of assessments across the federal government, would pave the way for the administration to develop a doctrine for collective cyber defense.
But lawmakers have already tried to take the issue into their own hands absent action from the executive branch.
McCain has helped lead a charge to insert language into Senate-approved defense legislation that spells out a specific cyber warfare doctrine. The White House has sternly objected to the provision, saying it would infringe on the president’s powers.
This week, Defense Secretary James MattisJames Norman MattisOvernight Defense: Tillerson, Trump deny report of rift | Tillerson says he never considered resigning | Trump expresses ‘total confidence’ in secretary | Rubio asks Army to kick out West Point grad Rubio asks Army to kick out West Point grad with pro-communist posts Trump, honor Obama’s agreement to release Guantanamo detainee MORE also wrote to Congress encouraging lawmakers to drop the provision, which would require that the U.S. military to notify foreign governments of its intent to combat certain cyber threats by actors in that country.
“The nature of cyber-attacks is ever evolving, and we need to maintain our ability to take decisive action against this increasingly dangerous threat,” Mattis wrote.
McCain did not appear deterred by Mattis’s objection to the provision on Thursday.
“We’ve had to push them for years,” he told reporters.