Consider a cyber hypothetical.
If, say, the Russian government hacks the 2018 midterm elections using infrastructure located in Ukraine, the United States might want to respond. Today, experts say that U.S. officials have not publicly acknowledged they could forgo permission from the Ukrainian government to hack-back.
But in its version of annual defense authorization bill, the Senate Armed Services Committee proposes bolstering America’s cyber prowess through a collection of new funding and programs. Included in the measure is a provision that means the U.S. would not need to ask-first before responding to cyber interference.
Overall, the defense proposal highlights threats from Russia and China. The bill proclaims the U.S. will not only call its cyber forces in response to actions that could threaten Americans or citizens of friendly nations, but allows it to retaliate against attacks on critical infrastructure.
While a summary of the bill was released on May 24, the Senate released the full text June 6.
New cyber provisions
The right to act in another country is a norm in counterterrorism operations, said Michael Schmitt, a professor at the U.S. Naval War College. But “this is the first time we have seen this written out expressly in the cyber domain,” Schmitt said.
“It appears the bill has either expanded the notion of self-defense to include significant disruptions of democratic society, or is embracing the notion of due diligence — that in any country who fails to control their own cyber territory, we can exercise our own countermeasures.”
The provision is supposed to defend against bad actors using a network in another country, said Megan Reiss, a senior national security fellow at the R-Street Institute, a non-profit public policy research institute. “Some may have thought this already existed even though it wasn’t in the public doctrine. But it goes along with repeated calls both in and outside of Congress that the U.S. should be setting the standards for cyberspace.”
The proposed bill also includes the Cyberspace Solarium Commission, which hopes to strengthen U.S. digital defense with new expertise. The commission was modeled after a project under the Eisenhower Administration that forged U.S. nuclear policy in the 1950s.
“The idea is to take the most interesting insights from three groups approaching a problem in different ways to create a new strategy,” Reiss said. “It is supposed to get people from thinking about a problem through only one lens or framework.”
A cyber-counseling program that certifies small business professionals and provides cyber planning for small manufacturers was also proposed in the legislation. Both U.S. officials and defense contractors have called for increased public-private sector cooperation.
Focus on China and Russia
The committee’s bill also targeted two of America’s top cyber nemesis: Russia and China.
The proposal barred the procurement of telecommunications equipment from China. It singled out Chinese telecommunication giants Huawei and ZTE regarding allegations their products were not safe for U.S. government use.
President Donald Trump has recently supported ZTE after it was sanctioned for illegal sales to Iran and North Korea.
The text highlighted Russia as well. If defense officials determine that Russia is conducting systemic cyberattacks against the U.S., the bill promised “proportional action” that would “disrupt, defeat, and deter” hackers.