Cybersecurity policy issues lurk beneath the surface of the ongoing congressional and independent counsel probes into the Russia hacking affair, which have nothing to do with what President Trump said to ex-FBI Director James Comey.
One immediate policy implication is that the Russia investigation — like the controversy over fugitive ex-National Security Agency contractor Edward Snowden’s leaks in the recent past — overshadows discussions on any even unrelated cybersecurity issue.
“I think this is a terrible distraction,” said Melissa Hathaway, former cyber adviser to both Presidents Barack Obama and George W. Bush, “and we are losing sight of terrorism and important foreign policy issues.”
Policy issues that continue to call out for attention include developing an effective U.S. cyber strategy that deters foreign aggressors, invigorating the government-private sector cyber threat information sharing process, and better coordination in the face of cyberattacks.
Some of these issues were touched upon at the heavily covered June 8 Senate Intelligence Committee hearing with Comey, but only briefly.
The issues could be hard to address in the policy realm without some level of presidential leadership — and even more difficult if senior administration officials are leery of discussing cyber issues for fear of stepping into the Russia controversy.
Democrats on the intelligence panel repeatedly asked Comey whether Trump had ever inquired about the strategic issues raised by the Russian hacks, to which Comey said, “No.”
And Attorney General Jeff Sessions’ recusal from matters related to the Russia probe could remove from certain discussions an administration figure who has an important statutory role on cyber policy.
On the other hand, a business community source said, “Most cyber watchers aren’t expecting Congress to make major legislative moves” this year.
Stakeholders are not looking to the Senate Intelligence Committee for policy action, whereas up through the end of 2015, that committee was at the heart of a fierce debate over cyber information sharing, which pitted the business community against online privacy and civil liberties groups.
“Senate intelligence is at the center of the political storm” over the Russia hacks, said a business source. “Fortunately … no major cyber bills are on the horizon that could get snared.”
But Democrats on the Senate Intelligence Committee are making the argument that the key policy issues in cyberspace are coming to a head in the Russia probe.
“We’re here because a foreign power attacked us here,” said Senate intelligence ranking member Mark Warner, D-Va. The “cyberattacks” were “aimed at undermining faith in our institutions,” he said, adding, “We must determine what [the Russian government] did … [and] steps to avoid it happening again.”
Republicans during the hearing focused on establishing that no laws were broken during Comey’s encounters with Trump.
But they too acknowledged the substantial policy implications of Russia’s aggressive and ongoing cyber activities.
Intelligence Chairman Richard Burr, R-N.C., said the 2016 hacks and other activity “may have been aimed at one party, but in 2018, 2020 and beyond, it could be aimed at anyone.”
Burr promised a “unified bipartisan effort” to address those challenges.
What are the issues at play?
One question is how cyberattacks are attributed and the related question of how the U.S. articulates a cyber policy that actually deters aggression by spelling out the consequences for state-sponsored hacks.
“There’s so many other distractions beyond the probe, I’m not sure the probe is the lone distraction,” said one source active in the info-sharing community. But one potentially positive impact from the controversy is a renewed discussion on attribution of attacks, the source said.
The Russia controversy and the WannaCry ransomware attack “have at least raised the topic of the challenges with attribution,” according to the source.
Another question is whether the cyber information sharing law enacted at the end of 2015 played any role in limiting the damage from Russia’s sophisticated intrusions. So far, no one from intelligence or homeland security circles is saying.
That’s been an ongoing issue in evaluating the effectiveness of the Cybersecurity Act of 2015: Its successes go largely unreported, out of operational necessity, while successful cyberattacks against U.S. targets can be portrayed as a sign that the law and related programs aren’t working.
The Department of Homeland Security has acknowledged that its program for sharing cyber threat information with the private sector remains a work in progress.
Some of this could be addressed in pending legislation by House Homeland Security Chairman Michael McCaul, R-Texas, to centralize DHS’s cyber functions, but so far this year there has been little effort to address cyber issues in a comprehensive fashion.
The Russia investigation may eventually help frame the policy issues that must be addressed, but based on the Snowden experience, that isn’t going to happen anytime soon.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
