Cybersecurity policy implications are beginning to emerge from the Russia election hacking affair, ranging from the obvious need for better deterrence to more subtle changes in the way cyberspace is viewed.
“There never seems to be any consequences to this bad behavior,” said House Homeland Security Chairman Michael McCaul, R-Texas, referring to the familiar litany of cyber attacks in recent years at a hearing on March 22 focused on the state of cyber policy.
McCaul is pressing for legislation that would clarify and enhance the Department of Homeland Security’s role at the center of the government’s cybersecurity efforts, which he touted at the hearing as a key way to improve cyber defenses, as well as to bring top-flight cyber talent into government.
At that session on “The Borderless Battle” in cyber space, a panel of cybersecurity luminaries discussed the current policy environment against the backdrop of the politically explosive probe into what exactly happened during the 2016 election.
That Russia conducted a cyber-enabled influence campaign is clear, but what does that mean for the cyber policy world?
“Cyber was just the tool” in Russia’s efforts aimed at the U.S. election campaign, and in political campaigns unfolding in France and Germany, former White House cybersecurity coordinator Michael Daniel told InsideCybersecurity.com prior to the Homeland Security panel hearing.
“This was really about the ‘influence operations’ that Russia has always been adept at, going back to the czars,” Daniel said. “Cyber was just the vehicle, and focusing too much on the vehicle is not helpful.”
Still, he said, there are serious if nuanced policy implications.
“We need to improve our sophistication in terms of thinking about the things you can do in cyber space,” Daniel said. “It’s not just about destruction. Cyber space doesn’t adapt to the rules of the physical world. For example, what does sovereignty mean in cyber space?”
Former Department of Homeland Security cyber chief Bruce McConnell said the very “definition of cyber is expanding” in light of the Russian election-meddling affair.
Cyber now involves information warfare and manipulation, beyond the historic view of cyber war as attacks aimed at stealing from or destroying computer networks, McConnell told InsideCybersecurity.com.
“This presents new policy problems — it’s not just protecting networks, it’s content,” McConnell observed. “And what is the government role in protecting content?”
The House Homeland Security session was lightly attended, especially in comparison with the House Intelligence panel’s jam-packed open hearing on its Russia probe two days before.
Intelligence Committee Chairman Devin Nunes’ surprise hallway meeting on the same day with reporters to discuss information he had received related to the Russia probe drew dozens more reporters than the Homeland Security panel’s session.
But the homeland committee hearing brought in cybersecurity heavyweights such as Daniel and McConnell, along with the former National Security Agency and Cyber Command leader, retired Gen. Keith Alexander, and leading cybersecurity theorist Frank Cilluffo of George Washington University.
McCaul knows his panel will be the one carrying the policy weight this year, and he used the session to begin framing answers.
Pointing to his DHS restructuring proposal, McCaul said, “[W]e have already begun to work with the Trump administration and others to make that a reality in the near future.”
Discussions continue with other congressional panels on jurisdictional issues related to the proposal, according to sources.
At his hearing, McCaul’s witnesses also offered their top priorities, all of which fit in as next steps following the policy measures enacted over the past couple of years.
The witnesses called for further developing government-industry information sharing, for instance, which could be bolstered by clearer legal protection for companies that share cyber threat indicators among themselves and with government.
Industry is “more than willing to share … and that can be done at network speed,” Alexander said, stressing that he was talking about threat indicators, not personal information.
But to make that happen, he said, government roles must be clarified and industry needs more assurance on liability protection.
Alexander also called for tax and other incentives to help industry bolster cyber defenses.
GWU’s Cilluffo called for more aid to state and local officials and first responders, more clarity on liability protection and “defining the rules for active defense” by companies that want to respond to hacks.
He said the nation’s cyber deterrence policy needs to be spelled out, a refrain picked up by the other witnesses as well.
McConnell — the former DHS cyber leader now with East/West Institute in San Francisco — said his top three priorities for Congress would be to “fix DHS, oversee DHS” and look more closely at the role insurance can play in improving cybersecurity across the private sector.
The effort to write the next phase in the evolution of cyber policy is well underway, separate and to a degree insulated from the spotlight on what happened in last year’s election.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
