Pentagon's Lack of Cyber Policy Illegal, McCain Says

Senators pressed Defense and intelligence officials on rules of war for cyberspace at a Tuesday hearing.

Senate Armed Services Committee Chairman John McCain (Anadolu Agency AFP/Getty)

A week after President Obama announced an agreement with Chinese President Xi Jinping to limit corporate espionage—a tentative step toward setting up norms of state behavior on the Internet—a panel of senators urged cybersecurity officials in the Defense Department to go further in establishing clear rules of war for cyberattacks.

As members of the Senate Armed Forces Committee pushed Tuesday for a more clearly delineated cyber policy—and better follow-through to make U.S. intentions clear—the committee's chairman, Sen. John McCain of Arizona, suggested the lack of such a policy is illegal.

In a heated exchange, McCain pressed Deputy Defense Secretary Robert Work on his department's progress in developing an "integrated policy" for cybersecurity, a task Congress assigned the department in the fiscal year 2014 Defense reauthorization bill.

"Suppose there's an attack, a cyberattack, like the one on OPM," McCain said, referring to a pair of data breaches at the Office of Personnel Management that affected more than 22 million individuals. "Do we have a policy as to what we do?"

Work began responding, haltingly, "The first is to try—first we deny and then we first find out, we do the forensics—"

McCain cut him off, and asked repeatedly whether it is Pentagon policy to counterattack after such a breach. Work said a counterattack is "one of the options."

"That's not a policy, Secretary Work," McCain responded. "That is an exercise in options. We have not got a policy, and for you to sit there and tell me that you do—a 'broad-strokes strategy'—frankly is not in compliance with the law."

Other senators on the committee piled on, asking Work and his fellow witnesses from the Intelligence Community how and when a clear policy of deterrence and retaliation would be set out.

"We are not where we need to be in our deterrent posture," admitted Work.

Director of National Intelligence James Clapper told the committee that he was not optimistic that China would curtail its cyberattacks, even after the U.S.–China accord announced last week.

Throughout the hearing, senators brought up the OPM data breaches, which are widely attributed to China. Clapper has gone out of his way in recent weeks to draw a bright line between corporate espionage—the target of the U.S.–China accord announced Friday—and traditional intelligence operations, which he says are commonplace and expected.

Clapper has categorized the data breaches at OPM as intelligence-gathering, and cautioned last week against characterizing the breaches as cyberattacks.

"We, too, practice cyberespionage," Clapper said Tuesday. "We're not bad at it." When it comes to retaliating in response to the OPM breach, Clapper told senators to "think about the old saw that people who live in glass houses shouldn’t throw rocks," using an adage he's applied to the situation before.

Clapper's distinction was still not enough for senators who wanted a clear outline of norms.

The government's cybersecurity position has been "a lot of talk, not a lot of action, unfortunately, and people take their cues from that," Sen. Kelly Ayotte of New Hampshire said.

"We need to define what an act of war is in the cyber arena," said Sen. Angus King of Maine. "I don't mean to imply, Secretary Work, that this is easy. But it's urgent."