The need for a well-articulated national cybersecurity deterrence policy has been a hot topic in industry circles for years, but the Trump-Putin summit in Helsinki pushed the issue to the forefront of the cyber conversation, underscoring recent steps as well as persistent shortfalls.
The Trump White House — after appearing to be thrown off stride by bipartisan criticism of the president’s performance in Helsinki — and the GOP congressional leadership have both moved in recent days to present a “tougher” face on Russia.
“I’m very concerned that Russia will be fighting very hard to have an impact on the upcoming Election. Based on the fact that no President has been tougher on Russia than me, they will be pushing very hard for the Democrats. They definitely don’t want Trump!” Trump tweeted last week.
“[House Speaker Paul Ryan] and I made clear that Putin would not be welcome here at the Capitol,” Senate Majority Leader Mitch McConnell, R-Ky., told reporters last week, referring to a possible second summit in Washington.
The actual steps being taken to write a deterrence policy, however, are a little more subtle and complex than slamming a Capitol door in Putin’s face.
Perhaps the most direct move in the works on deterrence policy awaits a Trump decision: a proposal to eliminate or scale back the Obama-era Presidential Policy Directive-20, requiring interagency and presidential approval for certain offensive actions by the Pentagon’s cyber warriors.
Undoing the directive has support in some quarters on Capitol Hill, but it would not be without controversy.
“I think they are redoing PPD-20, but you still need presidential authorization for a [cyber] campaign,” James Lewis of the Center for Strategic and International Studies said. “Until the U.S. sorts out its Russia policy, we won’t have a deterrent.”
Senate Armed Services cyber subcommittee chairman Mike Rounds, R-S.D., said the president’s comments in Helsinki “raised questions as to whether he’s able to move forward at this time [on revising PPD-20] or needs additional evidence.”
“We’ve been doing reviews and informational hearings with the people responsible for the cybersecurity of the country, mostly in a classified setting,” Rounds said, adding there was “no question about Russian activities and involvement in the 2016 campaign with the intent of destroying confidence in the system.”
He pointed to a February 2017 DOD Science Advisory Board report calling for “an effective deterrent” backed by “offensive capabilities.”
But Trump has yet to approve proposed changes to PPD-20 related to the nation’s “offensive cyber capabilities,” Rounds said, and it is unclear whether administration officials have had a chance to “brief him in order to authorize moving forward with these strategic steps on cyber.”
The key, Rounds said, is “getting it before him and having the time to brief him — there’s so much on his plate — to get his support for changes in our offensive capabilities.”
In other areas of deterrence policy, the Senate Foreign Relations and Banking committees on July 24 announced their plans for hearings on potentially strengthening sanctions against Russia, under a directive from McConnell.
The first step was last week’s Foreign Relations hearing with Secretary of State Mike Pompeo, to be followed soon by a Senate Banking “classified Members briefing with Administration officials to discuss Russia and the impact of sanctions,” according to a release by the two committees.
The Banking Committee will also hold hearings on implementation of existing sanctions against Russia and possible additional steps, according to the panels.
Pompeo — in a tense exchange with Senate Foreign Relations Ranking Member Robert Menendez, D-N.J. — said he would work with Congress on additional sanctions aimed at Russia, while stressing that Trump emphasized to Putin in Helsinki that the U.S. would not relax existing sanctions on that country.
Menendez said he and Sen. Lindsey Graham, R-S.C., will soon introduce legislation “to ensure we have the most effective tools to confront Russia.”
Corker, in comments to reporters, noted that after Helsinki, “Now Congress is concerned about how strongly the administration will press” the sanctions currently in law. “We want to go through the committee process,” he stressed. “Let’s figure out what we’re trying to achieve … [and then consider] additional steps to deter them [Russia].”
McConnell last week also pointed to the Deter Act by Sens. Marco Rubio, R-Fla, and Chris Van Hollen, D-Md., which would apply automatic sanctions if Russia is caught interfering in upcoming elections, as “worth looking at.”
Sen. Chris Coons, D, Del. — who along with Sen. Jeff Flake, R-Ariz., unsuccessfully pushed a nonbinding resolution calling for implementation of existing sanctions as well as support for the Robert Mueller investigation — said the Deter Act may be discussed in the context of “merging elements” of different sanctions bills and suggested it would probably pass the Senate with more than 90 votes.
Sen. James Lankford, R-Okla., said the post-Helsinki uproar has provided momentum for the bipartisan Secure Elections Act that he cosponsors. That bill would simplify approval of security clearances for state officials and encourage “basic standards” for election systems, Lankford said. “You’re not really doing deterrence until you pass some of these things,” Lankford said.
“Congress must take the initiative across the board on cyber and Russia,” said Senate Intelligence Ranking Member Mark Warner, D-Va. “In a normal administration, they wouldn’t have eliminated the cyber coordinator positions at the White House and State Department.”
Warner acknowledged that the absence of a U.S. cyber doctrine on deterrence, which could have tempered Russia’s behavior, predates the Trump administration and called it “a failure of the last decade.”
Deterrence policy is also kicking around in other corners of the Trump administration. The Justice Department recently released a report by its Cyber Digital Task Force containing five steps designed to get ahead of the cyber threat.
The DOJ report calls for broad government collaboration, aggressive criminal investigations and prosecutions, strategic relationships with social media providers, and a new policy on disclosing foreign influence operations.
“This policy provides guideposts for Department action to expose and thereby counter foreign influence threats, consistent with the fundamental principle that the Department always must seek to act in ways that are politically neutral, compliant with the First Amendment, and designed to maintain the public trust,” according to the report.
“The move to greater notification has been a gradual effort,” said Ari Schwartz, cybersecurity director at the National Security Council under former President Barack Obama. “So far, I think that it has been very successful and ramping it up is a positive step.”
