The Trump administration is talking a big game about its strategy to deter cyberattacks.
Twice in the past week, top administration officials have boasted about their capacity to respond to digital threats, saying the White House stands ready to inflict an array of consequences on malicious actors in cyberspace.
But a bipartisan group of lawmakers isn’t buying it. And they want to use the massive defense authorization bill Congress will negotiate over the coming weeks to force the White House to draw up a clear cyber deterrence policy. The move highlights mounting frustration with what lawmakers see as a woefully insufficient strategy for responding to cyberattacks, and shows they’re serious about holding officials to their tough rhetoric.
“Let's not sugarcoat it: Washington is dangerously unserious about cybersecurity,” Sen. Ben Sasse (R-Neb.) said in an email. “We're decades into the era of cyberwar and we're still playing catch-up.”
Sasse is part of a group of lawmakers from the Armed Services Committee who got language included in the Senate version of the National Defense Authorization Act requiring the administration to develop a cyberwar doctrine to respond to digital attacks. This administration and its predecessor have failed to create a comprehensive strategy to ward off growing cyberthreats from nation-states and other sophisticated actors, he and other lawmakers say.
“We don't have clear cyber doctrines, but China and Russia do,” Sasse told me. “Decade after decade, hack after hack, administration after administration, our adversaries get more aggressive while Washington sits on the sidelines.”
In addition to requiring the administration to "plan, develop and demonstrate" options for countering attacks, the provision also says it should “demonstrate, or otherwise make known to adversaries the existence of, cyber capabilities to impose costs on any foreign power targeting the United States.” Another measure, written by Sasse, would create a bipartisan national commission of administration officials and experts chosen by Congress to recommend ways to strengthen the United States’ posture in cyberspace.
The issue has been top-of-mind for lawmakers on both sides of the aisle as the House and Senate prepare to reconcile their versions of the NDAA, an annual bill that sets the Pentagon’s budget and outlines Congress’s defense priorities.
“The lack of decisive and clearly articulated consequences to cyberattacks against our country has served as an open invitation to foreign adversaries and malicious cyber actors to continue attacking the United States,” said Sen. Martin Heinrich (D-N.M.), who has helped lead the cyber deterrence push on the Armed Services Committee. “Democrats and Republicans continue to call for a national cyber deterrence strategy from the administration, but we’ve seen nothing adequate to deter future attacks.”
While lawmakers are agitating for more decisive action, administration officials say they are ratcheting up U.S. cyber deterrence efforts.
In a national security forum on Capitol Hill last week, Homeland Security Secretary Kirstjen Nielsen told Rep. Michael McCaul (R-Tex.) in a live-streamed discussion that the administration was laser-focused on replacing what she called the Obama administration’s “complacency” with “consequences.”
“For so long we've had these attacks, it's taken us over a year to attribute in some cases, then we attribute it and nothing happens,” Nielsen said. “So this is one of those areas where deterrence has to be clear. We will no longer stand by while nation-states attack the government or our private-sector entities.”
Just a few days later, Secretary of State Mike Pompeo described the range of responses the United States had at its disposal for responding to cyberattacks, saying the United States had "incredibly capable cyber teams" spread throughout government.
If a cyberattack “approaches or becomes a true act of war, then the responses that the United States need to take aren’t limited just to a cyber response,” Pompeo said in an interview Sunday with MSNBC's Hugh Hewitt. “There’ll be times when the United States government decides that’s the most appropriate place, because you can in fact do it quietly. You can respond in the cyber world by sending a message that the entire world doesn’t necessarily see, but your adversary may well see. But there are also times when responses in cyberspace will call for diplomatic response or other types of responses from our government.”
It's true the Trump administration has taken aggressive steps in recent months designed to inflict punishment for major cyberattacks. In December, the White House publicly attributed the massive WannaCry ransomware attack to North Korea, and attributed the devastating NotPetya cyberattack to Russia in February. The administration has also imposed, under orders from Congress, sanctions on Russia for its interference in the 2016 elections and other cyberoffenses. And the White House in April sent Congress a classified report on its cyberwar policy under a provision in last year's defense spending bill.
But those moves haven’t satisfied lawmakers such as Sasse, who are hoping legislation will force the administration into action.
“This isn't going away,” Sasse said, “and there are few things more important than this challenge.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Two senators are pushing Trump to reinstate U.S. penalties on ZTE. Sen. Mark R. Warner (D-Va.), the Senate Intelligence Committee's vice chairman, and Sen. Marco Rubio (R-Fla.) on Tuesday wrote to Trump and asked that he “reconsider” his decision to alleviate the punishment on the Chinese tech giant following sanctions that the Commerce Department announced in April. Lawmakers on Capitol Hill have repeatedly said ZTE and other Chinese tech companies such as Huawei threaten U.S. national security. “ZTE, though publicly traded, is a state-backed enterprise that is ultimately loyal not to its shareholders, but to the Chinese Communist Party and Chinese government,” Warner and Rubio wrote. “This patronage relationship poses unacceptable risks to American sovereignty; risks that will only increase if the company is permitted to establish itself deeply in America’s telecommunications infrastructure.”
The Senate last week approved a measure to restore penalties on the company and prevent the federal government from buying ZTE and Huawei equipment when it passed its version of an annual defense authorization bill in a 85-to-10 vote, setting up a clash with the Trump administration. Rubio and Warner asked Trump to support blocking the federal government from purchasing equipment from ZTE and Huawei and suggested that the president should not use ZTE as leverage in his trade dispute with China. “We strongly believe that the April sanctions order — which would have threatened ZTE’s survival — should not be used as a bargaining chip in negotiations with China on unrelated matters,” they wrote.
ZTE is a national security threat, not a bargaining chip in trade negotiations. Our intelligence community knows it, our military knows it, and by now our President should know it too. Today @MarcoRubio and I called on the President to reverse course on the bad deal with ZTE. https://t.co/u9UyWs8lmd— Mark Warner (@MarkWarner) June 26, 2018
PATCHED: Russia's interference in the 2016 presidential election exploited the U.S. government and private sector's lack of readiness for such an operation but also made the most of weaknesses in American society, according to a report released Tuesday by the Alliance for Securing Democracy, part of the German Marshall Fund of the United States. “The Kremlin’s operation to undermine democracy weaponized our openness as a nation, attempting to turn our greatest strength into a weakness, and exploited several operational and institutional vulnerabilities in American government and society,” the report says.
Such vulnerabilities include a lack of preparedness in the government “to address asymmetric threats of this nature,” an aging election infrastructure, the failure of tech companies to realize that foreign actors could exploit their platforms and insufficient cooperation between the private and public sectors, according to the authors of the report. Jamie Fly, Laura Rosenberger and David Salvo say that Russia also seized on vulnerabilities within American society in its interference campaign. “A hyper-partisan climate, declining faith in the ability of government to do its job, festering racial divisions, growing economic disparities, and the increasingly polarized media environment and prevalence of echo chambers, all provide fertile ground for adversaries who seek to do America harm,” they write.
PWNED: Former National Security Agency contractor Reality Winner pleaded guilty Tuesday to mishandling government secrets, The Washington Post's Devlin Barrett reports. Under the plea deal, Winner, who was arrested last year after authorities accused her of leaking a top-secret NSA document to a news organization, faces about five years in prison, according to Barrett. Winner pleaded guilty to one felony count of mishandling defense information.
“A former military linguist, Winner held a top-secret security clearance while serving in the Air Force until 2016 and continued to handle classified information as a contractor for Pluribus International, working at Fort Gordon in Georgia,” Barrett writes. “Prosecutors say she took a copy of a classified NSA report describing Russian government efforts to use hacking techniques against employees of a company that provided technical support to states’ voting agencies.” The charges against Winner last year were unveiled soon after the investigative news site the Intercept published a story based on an NSA document.
Winner's mother, Billie Winner-Davis, told reporters after her daughter's guilty plea that Winner would now be able to “look forward” to the future. “I’m really proud of Reality. I’m happy that she did this,” Winner's mother said, as quoted by Barrett. “I think that this will enable her to have peace, and now she can at least look forward to planning for her future. . . . I hope that people don’t judge her by this one action, by this one mistake.”
— The Senate Foreign Relations Committee on Tuesday approved a cyber diplomacy bill that would create an Office of Cyberspace and the Digital Economy at the State Department. Under the bill, the head of the office would be tasked with carrying out U.S. cyber policy and would advise the secretary of state on cyber issues. “The security and economic future of our country increasingly depends on working with our allies and partners to maintain a secure, reliable and open internet.” Sen. Bob Corker (R-Tenn.), the panel's chairman, said in a statement following the bill's passage in committee. “We need a robust agenda for cyber diplomacy with the leadership and congressional oversight necessary to carry it out successfully. Enactment of this legislation will more effectively focus and centralize cyber diplomacy efforts at the State Department.”
— Sen. Angus King (I-Maine) has a message about cybersecurity for the administration and he wants a Trump nominee for a top cyber job at the Energy Department to deliver it on his behalf. King on Tuesday asked Karen S. Evans, President Trump’s nominee for assistant secretary of energy for cybersecurity, energy security and emergency response, to urge the administration to establish a “leadership position” to coordinate cyber policy across the federal government and to develop a cyber doctrine. Politico reported last month that the Trump administration terminated the position of White House cybersecurity coordinator.
“We know that a cyberattack is coming at some point,” King told Evans during her confirmation hearing. “It’s the longest windup for a punch in the history of the world, and shame on us if we’re not prepared for it. And the best way to prepare for it is to deter it so that those who would attack us in these means understand that there will be a price to be paid, it will be a serious one, it will be proportional to the attack.” Evans replied that she “will be happy to” relay King's message.
— Rep. Gerald E. Connolly (D-Va.) is seeking answers from the Justice Department in what appears to be the first criminal case involving fraudulent use of stolen information from the 2014 Office of Personnel Management data breach. Connolly wrote in a letter Tuesday to Attorney General Jeff Sessions that the Justice Department has not explained how the defendants in the case obtained the personally identifiable information of the OPM hack victims. “I believe further details about how the defendants obtained the PII could be useful for the purposes of protecting victims of the breach from further criminal activity,” Connolly wrote. “I respectfully request a briefing with the Department on how we can better balance the needs of this particular prosecution and related investigations with breach victims’ need to know how their PII is being obtained by criminals.” Connolly also wrote a letter to the OPM to ask what actions the agency has taken since the criminal case was revealed last week.
— More cybersecurity news from the public sector:
— Australian lawmakers on Tuesday supported legislation that aims to counter foreign interference in the country's political affairs in a move that could further infuriate China, The Wall Street Journal’s Rob Taylor reports. “The legislation will strengthen existing espionage laws, which haven’t been successfully used by prosecutors in decades,” according to Taylor. “It introduces foreign-interference offenses targeting ‘covert, deceptive or threatening actions’ of foreign agents trying to meddle in Australian political networks and business—while another complementary bill still being considered would ban foreign political donations.” Relations between China and Australia already are at a low point as the Australian government is considering whether to prevent Huawei from being involved in the country’s 5G network.
— Ukraine worries that Russian hackers are laying the groundwork for a vast cyberattack against the country by infecting companies with malware, Reuters’s Pavel Polityuk reported on Tuesday. “The hackers are targeting companies, including banks and energy infrastructure firms, in a roll out that suggests they are preparing to activate the malware in one massive strike, cyber police chief Serhiy Demedyuk said,” Polityuk writes. “Ukrainian police are working with foreign authorities to identify the hackers, Demedyuk added.”
— More cybersecurity news from abroad:
- House Science subcommittee hearing on IMSI catchers.
- House Small Business Committee hearing on ZTE.
- SIA GovSummit in Washington today through tomorrow.
- House Foreign Affairs Committee markup of the Cyber Deterrence and Response Act of 2018 tomorrow.
- Deputy Attorney General Rod J. Rosenstein and FBI Director Christopher A. Wray appear before the House Judiciary Committee tomorrow.
- Cyber Security Summit: DC Metro in McLean, Va., tomorrow.
- National Homeland Security Conference in New York on July 9 through July 12.
- National Association of Secretaries of State 2018 Summer Conference in Philadelphiaon July 13 through July 16.
Father of girl on Time cover shares his family's story:
An edmontosaurus skull gets a CT scan for an upcoming museum exhibition:
Jimmy Fallon reacts to Trump's Twitter jab: