Lawmakers fear US has fallen behind in cyber warfare

Lawmakers in both chambers of Congress are confronting hard truths about the U.S. military’s cyber vulnerabilities and lack of a comprehensive strategy to deter and respond to cyberattacks.

Members of Congress worry that adversaries could potentially breach the defense industry supply chain or exploit the military’s dependence on computers and high-tech systems for operations, fears that were confirmed by testimony from experts and former officials this week.

“Major powers — Russia and China specifically — have a significant and growing ability to hold U.S. critical infrastructure at risk via cyberattack and also a growing capability to hold at risk the U.S. military to potentially undermine U.S. military responses,” Dr. Jim Miller, a member of the Defense Science Board and former undersecretary of defense for policy, told senators on Thursday. 

“For at least the next decade, the offensive cyber capabilities of these major powers are likely to far exceed the United States’ ability to defend our critical infrastructure,” Miller said. “At the same time, the U.S. military has a critical dependence on information technology, and these actors are pursuing the capability through cyber to thwart our military responses. This emerging situation has potentially placed the United States in an untenable strategic position.”

The risks took center stage at meetings of the House and Senate panels with oversight of the Pentagon. Both committees are likely to make cyber warfare and things related to it a priority in the coming months. 

“We understand a lot of the conventional weapons and the strategic weapons,” Sen. John McCain (R-Ariz.), who chairs the Senate Armed Services Committee, said at the conclusion of the hearing on cyber policy Thursday. 

“I don’t think amongst this committee or amongst the American people the dimensions of this challenge are fully understood. Until we fully understand the dimensions of the challenge, then I’m not sure we’re able to address it adequately from a legislative standpoint.”

“Right now, besides funding, this is the highest priority that this committee should have,” McCain said.

Concerns about the cyber vulnerabilities at the Pentagon — and the U.S. government more broadly — have been amplified by the Russian government’s alleged cyber campaign aimed at affecting the presidential election.

Russia’s election hacking featured in both hearings, with some lawmakers expressing frustration over the government’s response and others signaling the need for the military to prepare for new types of “hybrid warfare” from Russia —which just revealed new information warfare troops — and other countries. 

“Among the hearings we are planning in the future is one that looks more broadly at hybrid warfare attempts to influence policy short of traditional methods of warfare,” Rep. Mac Thornberry (R-Texas), chair of the House Armed Services Committee, said Wednesday. “Certainly what the Russians are doing, and some examples of Chinese using their economic power and others. This is one of our key challenges.”

But the Russian election intrusions were only one point of focus, with lawmakers also raising questions about the ability of adversaries to handicap U.S. military operations by targeting their computer systems or infiltrating the supply chain. 

“I have a concern … that we have a limited understanding of supply chain risk in the defense industrial base,” Sen. Gary Peters (D-Mich.) said. “These risks could include counterfeit components that end up in warfighting platforms or, worse, undetectable hardware or software modifications that are perpetrated by a very sophisticated adversary.” 

Leadership of both committees signaled the need for future hearings on the issues discussed, though the job to change the military’s strategy in cyberspace ultimately falls to the Trump administration and, in particular, Defense Secretary Jim Mattis. 

Mattis has already ordered military leaders to develop a plan for organizational and structural reform to improve support of cyber operations and information management at the Pentagon.

The Trump administration is also required by law to report to Congress what actions against the United States in cyberspace could warrant a military response.

“This committee is well aware that bold action is required and we will continue to apply the appropriate pressure to ensure that the new administration develops a cyber strategy that represents a clean break from the past,” McCain said Thursday.