Members of Congress are becoming impatient with what they view as a flaccid approach from the Obama administration on the issue of cyberattacks. Through a recent spate of op-eds, statements and fiery rhetoric to reporters, lawmakers’ criticism is growing due to the fact that the volume of commercial espionage being backed by the Chinese government isn’t going away.
“It’s long past time for the U.S. to define what is a digital act of war and the appropriate response,” Rep. Will Hurd, R-Texas, who sits on the House Homeland Security Committee, told the Washington Examiner.
The issue was at the forefront of Congress for much of 2015. It fell briefly from attention following a Sept. 25 agreement reached between President Obama and Chinese President Xi Jinping, stating that neither country would engage in commercial espionage. The administration argued the agreement would resolve the issue. Yet five months later, there are indications that has not been the case.
“Over the next year, I would say attacks are going to continue if not increase,” said Lance Dubsky, chief security strategist at cybersecurity firm FireEye. The firm handles cybersecurity for corporations internationally, and its Mandiant services specializes in defending against attacks out of China and other countries.
Because the company cannot divulge information about its clients, Dubsky emphasized that it was a personal prediction. Nonetheless, a consensus seems to be emerging that he is correct.
Beyond angry words meant to embarrass the administration into action, lawmakers are limited in what they can due on the issue because of its complexity. Drawing “red lines” that define the U.S. response to every cyberattack is too daunting an endeavor for Congress to indulge.
“It’s something that really needs to come from the president,” said Claude Barfield, an expert on cybersecurity at the American Enterprise Institute. “It’s almost silly to talk about with this administration, but where are the red lines? What can you expect from the United States if you do the following?”
But members of Congress still plan to keep the issue alive.
“Despite the agreement, reports continue to come out about hacks on our privileged economic and sensitive military data that are linked to China,” said Rep. Matt Salmon, R-Ariz. “We have allowed China to warp agreements between our countries in their favor, and we’ve allowed them to exploit our vulnerabilities for their own economic and military gain.”
Sen. John McCain, R-Ariz., and Senate Armed Services Committee chairman, voiced a more strident criticism in January. In a statement, he accused Obama of going “to great pains to minimize the role of offensive cybercapabilities” that could be used in response to cyberattacks against the United States, and said the president had done “little to clarify the policy ambiguities that undermine the credibility of deterrence.
“Our adversaries view our response to malicious cyberactivity as timid and ineffectual,” McCain added. “The problem is a lack of deterrence. The administration has not demonstrated to our adversaries that the consequences of continued cyberattacks against us outweigh the benefit. Until this happens, the attacks will continue and our national security interests will suffer.”
McCain’s complaint touched on a range of issues that have germinated among members of Congress. Those include the absence of a written policy prescribing how the U.S. will respond when attacks occur, whether they are conducted against critical infrastructure or private companies, the administration’s refusal to attribute responsibility for attacks that take place and the administration’s failure to put sanctions on entities that engage in commercial espionage.
U.S. infrastructure has not suffered any highly damaging attacks. That may be one reason Congress has not pressured the administration to act more quickly on some elements of cybersecurity policy, in spite of the disagreements.
However, with respect to cyberattacks geared toward commercial espionage, the clock is ticking. Experts have suggested that if hacking traced to China fails to decline by the end of March, it will serve as a reasonable indicator the country is not abiding by the agreement. In that scenario, lawmakers fear that America’s adversaries will see inaction as weakness.
“It’s not just China’s actions we need to address,” Hurd said. “Our enemies need to know that there will be consequences for a digital attack.”
Salmon concurred, saying the issue comes down to the fact that bad actors need to know the president’s words “will be followed through with action” and that the U.S. will “negotiate from a position of strength, rather than weakness.”
It could be the case that administration officials are hoping, in spite of precedent, that attacks are eventually going to decline, even if no action is taken. They would not be alone: Dubsky said that as a company, FireEye “very much hopes the trend in hacking will turn down,” and that countries will seek to engage as “good world citizens.”
However, he added, “For me personally, I see the trend maintaining.”
