The United States must demonstrate its cyber warfare capabilities to help deter sophisticated attacks from Russia and other adversaries while building strategies on a battlefield still misunderstood by commanders and senior officials, a panel of defense experts told lawmakers Thursday.
“Cyber operations are a legitimate means of projecting national power, especially when proportionately supplemented by kinetic force, and we should advertise them accordingly,” retired Navy Adm. James Stavridis, the former leader of European Command, told the Senate Armed Services Committee in prepared remarks.
Russia, North Korea, China and other nations launch sophisticated attacks against the United States, including attempts to destroy infrastructure and undermine credibility of elections in America and France, Stavridis said. And the United States is often sheepish to strike back in shows of force, he added.
“Unwillingness to operate offensively in cyberspace is driven less by a fear of retaliation and more by a fear of compromising our intelligence community’s sensitive tradecraft,” he said.
Retired Air Force Gen. Michael Hayden, former director of the CIA, said there is still a lack of consensus in the United States and the international community about what kinds of attacks warrant a response, and outdated thinking still suggests cyber assaults require an in-kind digital response, when other measures, such as conventional military strikes or sanctions, might be more appropriate.
“One way to recognize practice is to practice,” Hayden said.
In response to Russian election interference for example, the United States could have disrupted bank accounts linked to Russian oligarchs and revealed the extent of President Vladimir Putin’s finances and property, Stavridis said.
Recent protests have rocked Russia following allegations of embezzlement by Prime Minister Dmitry Medvedev, and overt jabs over the wealth of Russian leaders would undermine the government there, he said.
Crippling intelligence-gathering networks would also restrict Putin’s ability to surveil his own people, Hayden said, at a crucial time when he seeks to squash dissent.
James Clapper, former director of national intelligence, stressed throughout the hearing about shortfalls within the government to anticipate the response of adversaries once cyber operations are launched.
“We can’t count on equal or symmetrical retaliation,” he said.
Sen. John McCain, R-Ariz., the committee’s chairman, opened his remarks for the hearing with a quip signaling his frustration with a lack of vision and cohesion in cyber operations in the military and intelligence communities.
“The committee meets today to receive testimony on cyber policy, strategy and organization, of which there is very little,” McCain said.
His remarks are an echo of a hearing held Tuesday, when McCain said: “Our nation remains woefully unprepared to address these threats.”
The panel offered various reasons why the United States appears unprepared to strike and vulnerable to attack in the cyber domain, chief among them is a lack of coherent guidance and command that is spread throughout the military branches and intelligence agencies, which results in redundancies and overlap.
Clapper and other officials have urged the separation of the National Security Agency and Cyber Command, the so-called “dual hat” organization led by Navy Adm. Michael Rogers, that has become too big for one commander, Clapper said.
Those organizations have different missions — Cyber Command focuses on offensive and defensive strikes while NSA’s main efforts are in spying and intelligence-gathering, Stavridis said. Elevating the cyber mission to full combatant command would crystalize doctrine and send a message to adversaries on the seriousness of the United States to execute missions, he said.
The experts and members of the committee voiced the need for President Donald Trump to provide guidance in cyber operations after he missed a self-imposed deadline to deliver a strategy within 90 days of his inauguration. Shortly after the hearing concluded, Trump signed an executive order “aimed at strengthening the federal government’s cyber security and protecting the nation’s critical infrastructure from cyberattacks,” Reuters reported Thursday.
McCain reiterated concerns recently voiced by service chiefs that a disparate focus and investment in cyber warriors in the military leaves talent untapped and later poached by the private sector.
“I don’t see a clear career path for cyber warriors,” he said.
Stavridis said none of the 126 airmen who recently completed their first tour with the Pentagon’s cyber mission force were retained for a second tour.
The Defense Department launched the initiative last year to consolidate forces in order to defend its networks, support commanders and protect U.S. infrastructure. It staffs 5,000 troops across 133 teams as of October, according to a Pentagon news release.
All 126 of those airmen were reassigned to Air Force missions “with no cyber nexus whatsoever,” Stavridis said in written testimony.
Recent attacks have converged across the public and private sectors, targeting U.S. power companies and corporations such as Sony, for instance, which became a victim of North Korean hacking.
The blurring of lines could lead to a Coast Guard-like cyber operations entity in the future, Clapper and the other experts suggested, which would blend military and law enforcement capabilities with an arm that occasionally responds to attacks affecting private citizens and businesses.
“We’re kind of on the beach at Kitty Hawk,” Stavridis said. “We have some work ahead.”