Cybersecurity

Frustrated lawmakers want cyber retaliation

Lawmakers on both sides of the aisle laid into top Intelligence and Defense officials on Tuesday for not retaliating in cyberspace, despite the glut of digital assaults targeting the U.S.

“I see two consistent themes here,” said Sen. Kelly Ayotte (R-N.H.) during a Senate Armed Services Committee hearing. “A lot of talk; no action, unfortunately. And people take their cues from that and that worries me.”

{mosads}“Why wouldn’t we take hard actions against them?” asked Sen. Joe Manchin (D-W.Va.), referencing myriad reports that Chinese hackers have pilfered technology from U.S. defense contractors. “I just don’t understand why we wouldn’t retaliate, from a financial standpoint.”

Defense and Intelligence Committee leaders took considerable heat at the hearing just days after the White House unveiled a “common understanding” with China that both countries would refrain from conducting or supporting digital economic theft.

The agreement came after the Obama administration decided to back away from slapping China with economic sanctions for hacking the U.S. private sector.

Lawmakers appeared frustrated by the White House’s move, and baffled by the fact that Friday’s “common understanding” came with no apparent enforcement mechanism. It’s part of a broader narrative, they argued, of inaction in the face of damaging and economically draining cyber theft.

“I think what you’re hearing from some of us up here,” Ayotte said, “[is] what are we going to do about it? As opposed to a shared agreement on principles.”

The Obama administration has been under increasing political pressure to stymie the flood of attacks that industry leaders say are drowning companies and eroding their global competitive advantage. National security experts are also worried that foreign governments like Russia and China are regularly hacking into federal networks with no repercussions.

Manchin pressed officials on what would happen if China breaks its promise.

“Are there any penalties in this agreement if one or the other violates it?” he asked Director of National Intelligence James Clapper.

“There certainly are implied penalties,” Clapper replied, referencing the nearly levied economic sanctions.

The threat of those sanctions got China to the negotiating table, he said. Those potential penalties, he added, are “illustrative of what would mean something to the Chinese if they transgress or violate this agreement.”

But overall, the spy chief did not seem sold on the deal.

“We are inherently skeptics,” he added.

Senate Armed Services Committee Chairman John McCain (R-Ariz.) saw the agreement as more evidence of a patchwork and ineffectual cyberspace policy.

During an extended and heated exchange with Deputy Secretary of Defense Robert Work, McCain admonished the Defense leader for failing to produce an official deterrence policy.

“As we have said over and over, we believe our cyber deterrence strategy is constantly evolving and getting stronger,” Work said.

“I’m talking about a policy, not a strategy,” McCain cut in, explaining that the 2014 Defense Authorization bill required the Pentagon to submit such a policy to Congress.

“That policy is still in development,” Work said, adding that the “policy has been outlined in broad strokes.”

“Not broad enough,” McCain interjected.

“Suppose there is a cyberattack like the one on OPM,” McCain continued, referencing to the theft of more than 22 million federal workers’ data from the Office of Personnel Management. “Do we have a policy as to what we do?”

Work started to explain the investigation process, but McCain wasn’t having it.

“Do we counterattack?” he asked.

“That’s one of of the,” Work started, before McCain interrupted.

“That’s not a policy, Secretary Work, that is exercising options,” he said. “We have not got a policy, and for you to sit there and tell me that we do have a broad-strokes strategy frankly is not in compliance with the law.”

Several times in the hearing, Clapper drew a distinction between hitting back over private-sector hacks versus retaliating for government hacks.

Clapper warned that the U.S. conducts its own espionage through cyberspace and therefore is limited to how it can respond to something like the OPM hack, which is a legitimate espionage target.

“I think it’s a good idea to think about the old saying about people that live in glass houses shouldn’t throw rocks,” he said.

McCain, who wasn’t questioning Clapper at the moment, jumped in.

“So it’s OK for them to steal our secrets that are most important, because we live in a glass house?” he asked. “That is astounding.”

Clapper clarified.

“I did not say it’s a good thing,” he said. “I’m just saying both nations engage in this.”