McCain spars with DoD's principle cyber adviser over Pentagon's roles in cybersecurity

In a heated exchange before the Senate Armed Services Committee on Oct. 19, the committee’s chairman sparred with the Department of Defense’s principle cyber adviser over the Pentagon’s roles in protecting the nation in cyberspace.

“Although DoD has built capacity and unique capabilities, for a number of reasons, I would caution against ending the current framework and against reassigning more responsibility for incident response to the Department of Defense,” Kenneth Rapuano, assistant secretary of defense for homeland defense and global security and a principle cyber adviser, wrote in his prepared testimony.

“[T]he United States has a long normative and legal tradition limiting the role of the military in domestic affairs. This strict separation of the civilian and the military is one of the hallmarks of our democracy and was established to protect its institutions. Designating DoD as the lead for the domestic cyber mission risks upsetting this traditional civil-military balance,” Rapuano‘s testimony read.

“You said that it’s not Department of Defense responsibility — suppose if the Russians had been able to affect the outcome of the last election,” SASC Chairman John McCain, R-Ariz., charged. “Would that fall under the responsible and authority to some degree of the Department of Defense if they’re able to destroy the fundamental of democracy by changing the outcomes of elections?”

Rapuano told McCain that the DoD has a responsibility to support responses and mitigation of threats in the electoral process through defense to civil authorities, if asked. However, the main point for coordination is the Department of Homeland Security, while general election matters are governed by the states and local governments.

McCain was not pleased with Rapuano’s responses. “For you to sit there and say, ‘Well, but it’s not Department of Defense’s responsibility’ — it is; to defend the nation … if you can change the outcome of an election, that has consequences far more serious than a physical attack,” McCain said.

“I am in fundamental disagreement with you about requirements of the Department of Defense to defend the fundamental of this nation, which is a free and fair election, which we all know the Russians tried to affect the outcome. … It’s the Department of Defense’s job to defend this nation; that’s why it’s called the Department of Defense.”

Rapuano noted the role of the National Guard, stating that in a number of states, on the authority of the governors, these forces are being trained in cyber to assist states in identifying vulnerabilities and mitigating those vulnerabilities. Elements of the Guard are part of the cyber mission force, Rapuano said, adding: “We certainly view quite appropriate the governor taking them under state authority versus the Department of Defense attempting to assert itself into a process without directly being requested.”

McCain retorted that, while appreciative of what the Guard and other local authorities are doing, “we see no coordination and no policy and no strategy, and when you’re ready to give that to us, we would be eager to hear about it.”

McCain also raised a similar refrain that for eight years his committee has been waiting for a cyber policy and strategy.

A Government Accountability Office report from 2016 charged that the DoD lacked a clear chain of command for domestic cyberattacks.

This notion was disputed by top DoD cyber officials at the time. “So there’s been a lot of discussion: ‘We don’t know how to do this’ or ‘There [are] disconnects there,’ but I don’t think that’s the case at all,” Lt. Gen. James “Kevin” McLaughlin, then deputy commander of U.S. Cyber Command, said in 2016. “I think we know how to do it; we’re making sure that in the event that it happens we’re ready to execute.”

Exercises such as Cyber Guard seek not only to help validate Cyber Command’s cyber teams, but also help to work coordination with civil agencies such as DHS, the FBI and the National Guards of various states in the event of a national cyber disaster. Cyber Command’s cyber protection teams can be activated to support these civil organizations.

“The focus of the domestic response capabilities, the defense support to civil authorities when it comes to cyber are those protection teams out of the cyber mission force,” Rapuano told the senators in attendance. “Those are skilled practitioners who understand the forensics issues, the identification of the challenges of types of malware and different approaches to removing the malware from the systems.

“This defense support to civil authority is a direct request for assistance from DHS to the department, and we have authorities all the way down to [combatant command] commanders, specifically Cyber Command. [Cyber Command commander] Adm. [Michael] Rogers has the authorities in a number of areas to directly task those assets. It then comes up to me, and in certain areas the secretary requires his approval. But most of these things can be down at lower levels, and we have provided that assistance previously to DHS.”