Despite the inherent and unique challenges cyberspace poses independent of physical domains, members of the Senate Armed Services Committee continued to lament the lack of any defined policy or strategy.
During an Oct. 19 hearing, members of the committee chastised the Defense Department’s witness given that after several years of working the problem, the answer to how the department may respond to actors or incidents is essentially: it depends.
“The challenge that we have that is somewhat unique in cyber is defining a threshold that then does not invite adversaries to inch up close but short of it,” Kenneth Rapuano, assistant secretary of defense for homeland defense and global security and a principle cyber adviser, said. “It is difficult to make [criteria] highly specific versus more general and the downside of the general is it’s too ambiguous to be meaningful.”
Rapuano was responding to criticism from Sen. Angus King, I-Maine, that the U.S. needs a clear doctrine where adversaries know if they do “x,” “y” will happen.
“Part of the problem also is we tend to want to keep secret what we can do when in reality a secret deterrent is not a deterrent. The other side has to know what’s liable to happen to them,” King said.
However, as Rapuano alluded to, many top thinkers and officials in the cyber world assert that detailing U.S. thresholds for responses will allow adversaries to creep right up without fear of retaliation, thus necessitating some level of case-by-case flexibility.
Citing a similar refrain when pressed, Rapuano noted the U.S. has several tools to choose from when it comes to deterring cyber activity from a whole of government approach. These, he said, include diplomatic, economic, trade and military options to include both kinetic and cyber measures.
“Cyber Command is developing its suite of capabilities against a variety of targets that are … inclusive to responding to attack on U.S. critical infrastructure,” Rapuano said in response to a question regarding whether or not Cyber Command is prepared to engage and defeat an attack against critical infrastructure.
“What is, for want of a better term, the trigger? You suggested an act of war – we’re still on sort of the definitional phase of trying to figure out what would prompt this. We have the capability but the question is under what circumstance do we use this. Is that fair?” Sen. Jack Reed, D-R.I. asked, to which Rapuano responded in the affirmative.
“I can go back four years ago, I can go back two years ago, I can go back one year ago; I get the same answers,” committee chairman John McCain, R-Ariz., said. “We put into the defense authorization bill a requirement that there be a strategy followed by a policy followed by action. We have now four months late a report that’s due before the committee.”
The National Defense Authorization Act signed last December sought “a report on the military and nonmilitary options available to the United States for deterring and responding to imminent threats in cyberspace and malicious cyber activities carried out against the United States by foreign governments and terrorist organizations.”
“It was our original intent and desire to couple the two with the input both into the president’s EO and as well as the input back to the Senate. Based on the delay of the president’s EO, we de-coupled that because we recognize your impatience,” Rapuano said regarding the now months late congressional report and a separate yet similar report mandated by an executive order signed in May. “We will be submitting it to you shortly and I’ll get a specific date.”
Regarding the executive order, Rapuano noted one of the intentions behind it was to “understand [deterrence options] in the wider context of our capabilities, different authorities and to start being more definitive about what those deterrence options are and how we can best use them.”
During his opening statement, Rapuano noted that DoD will likely be updating its cyber strategy. The most recent strategy was released in 2015.
“We will also be updating our DoD cyber strategy and polices on key cyber issues such as deterrence and translating this guidance into capabilities, forces and operations that will maintain our superiority in this domain,” he said.
“We are guessing with a new administration that there’ll be a desire to update the DoD cyber strategy – last one published in April of 2015,” Maj. Gen. Burke “Ed” Wilson, acting deputy assistant secretary of defense for cyber policy and deputy principal cyber adviser to the secretary of defense, said during a keynote address in March of this year.