After a string of high-profile Internet attacks directed at the U.S. government and private sector, Congress and the executive branch are trying to get serious about treating cyber warfare as a foreign policy issue—especially when it comes to addressing threats from China and Russia.
But it's slow going.
The Senate Foreign Relations Committee added cybersecurity to the portfolio of one of its subpanels, which had its first hearing Thursday. Yet only two members showed up: Colorado Republican Cory Gardner and Maryland Democrat Ben Cardin, chairman and ranking member of the Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy, respectively.
Cybersecurity has captured the attention of Congress this session, taking center stage in hearings and legislation that focus on companies' policies of notifying customers about data breaches, cyber threat information sharing between the government and private sector, and the value of built-in backdoors on consumer devices that would allow the government to access encrypted communications on iPhones and other gadgets.
But the foreign policy angle hasn't captured Congress's imagination just yet.
About an hour into the hearing, Cardin left for another committee meeting, leaving the chairman outnumbered by the panel of witnesses.
Mike Rogers, who was chairman of the House intelligence committee until he left Congress this January, says cybersecurity is the missing piece in U.S. defense policy. "This is the largest national security we face that we have no answer to," Rogers said at an event at the Hudson Institute on Tuesday. "And candidly, we're not winning."
"We are keeping pace, maybe, but policy-wise, we're behind this problem," he said.
Christopher Painter, the State Department's point person on cyber issues, said as much at Thursday's hearing.
"While the Internet has been growing and evolving for a few decades now, the international community has only more recently begun to fully grasp cyber issues as a foreign policy priority," Painter said in his prepared testimony.
The federal government has treated the Internet as a battlefield for some time. Documents revealed by former intelligence contractor Edward Snowden showed that the U.S. hacked into Chinese mobile phone companies, and the U.S. is believed to be behind the advanced Stuxnet worm, which targeted Iran's nuclear centrifuges, although it has never acknowledged being involved.
And increasingly, U.S. companies and government have been on the receiving end of Internet attacks. A hack attributed to North Korea that targeted Sony Pictures revealed hundreds of thousands of private emails, cost the movie studio millions, and drew a rebuke—and possibly retaliation—from the White House. A recent investigation found that Russian hackers found their way into email systems that belong to the State Department and White House. And a Chinese cyber weapon called "Great Cannon" targeted a U.S. company that was hosting software used by dissidents in China.
"When it comes to the foreign policy implications of cyber issues, it is important to begin with the recognition that this subcommittee and the State Department are working in a still-nascent policy space," Painter said.
As government works to fill that space, Cardin called on an expansion of public-private collaboration, and pointed to proposed information-sharing legislation as an example.
"Government cannot do this alone. We have no choice but to work closely with the private sector," Cardin said Thursday.
Obama last month announced an executive order that would allow the U.S. to respond to cyber attacks with financial sanctions. "Cyberthreats pose one of the most serious economic and national security challenges to the United States, and my administration is pursuing a comprehensive strategy to confront them," Obama said then.
Meanwhile, the State Department has been applying its diplomatic expertise to the cyberworld, where it's been trying to get American allies to work together and with the U.S. to develop a set of "norms" to govern how countries should act on the Internet, Painter said Thursday. The U.S. has engaged in "confidence-building measures" over cyber issues to reduce the possibility of online conflict.
James Lewis, director of the technology program at the Center for Strategic and International Studies and another witness on Thursday's panel, welcomed the Senate subcommittee to the fray.
"Everyone and their dog is doing cybersecurity, and I guess that's a good thing," he said.