By the Senate Armed Services Committee’s estimation, the United States has held back in cyberspace.
The committee is angling to change that with the latest National Defense Authorization Act, proposing to free up the military on the front lines of cyber conflict, create a new strategic cyber entity and respond to Russian aggressions in-kind.
The bill’s authors wrote that lawmakers have long-standing concerns about the lack of an effective U.S. strategy to deter and counter cyber threats. To counter foreign state actors bent on stealing, striking, spying or disrupting in cyberspace, the bill suggests boosting resilience, increasing attribution capabilities, emphasizing defense and enhancing the country’s ability to respond to attacks.
“We’re letting episodes define strategy. It should be the other way around, where we clearly articulate our cyber deterrence strategy and rules of engagement,” said Frank Cilluffo, director of George Washington University’s Center for Cyber and Homeland Security.
By offering a road map for the U.S. Cyber Command, signaling when U.S. cyber forces will go on attack and directing the United States to employ all instruments of national power, “this bill gives [CYBERCOM] its marching orders going forward,” Cilluffo said.
According to the proposed law, cyber incidents that inflict casualties, undermine democratic society, damage critical infrastructure or affect armed forces could trigger U.S. offensive cyber operations.
The norm-setting bill directs CYBERCOM to take the fight to an adversary on foreign turf. If an actor using the networks or infrastructure of a third-party country stages an attack on the America or an ally, the bill suggests that the U.S. military can respond without the host government’s permission.
Though the law greatly expands who and what U.S. forces are authorized to target, the U.S. is “not going to be able to go in and attack willy-nilly in large amounts without any consequences,” said Megan Reiss, a senior fellow at the R-Street Institute. “This basically just clarifies that the U.S. reserves the right to deal with networks in third-party countries, especially in the case that those countries are unable or unwilling to deal with the offending networks.”
This provision is significant, because it is the first time this concept – cyber countermeasures in a third-party country – has been publicly acknowledged and codified by the U.S. government. The language is also noteworthy because it suggests that the U.S. government is warming to the idea of “hacking back.”
The defense proposal also calls for the establishment of a “Cyberspace Solarium Commission,” “tasked with developing a strategic approach to protecting and advancing the United States’ advantage in cyberspace.” The commission, named after a similar entity created for the nuclear domain by the Eisenhower administration in the 1950s, would draw from experts across the government.
Sen. Ben Sasse, R-Neb., who authored the proposal for the commission, said in a press release: “The United States does not have a serious cyber strategy but our enemies do…We lack a doctrine that defines how, when, and where we play offense and defense. We don’t have a playbook. It’s time to draft one.”
The commission will convene experts from the cyber, defense and regional communities.
“Rarely do they come together,” Cilluffo said. “To do cyber right, you have to have all three.”
The bill bluntly tackles cyber and information threats stemming from Moscow, directing CYBERCOM to “take appropriate and proportional action” in cyberspace to “disrupt, defeat and deter” Russian cyberattacks.
“Basically they’re saying: ‘we know Russia is doing this, so let’s make sure Cyber Command has the authority to deal with it when they see ongoing attacks,” said Reiss.
The efforts to boost U.S. Cyber Command come as leadership has undergone a change. Gen. Paul Nakasone has recently assumed command of the unit after previously running U.S. Army Cyber Command.