Cybersecurity
Those actors would be subject to a range of economic and travel-related sanctions. Yoho’s bill recently passed the House Foreign Affairs Committee and has garnered support from a bipartisan group of cybersecurity-focused lawmakers.
The legislation is meant to codify many of the strategies used during the first 18 months of the Trump administration in response to high-profile cyberattacks against the United States, pairing “name and shame” tactics with economic and political pressure in a
way that results in mean-
ingful consequences for
those who step over the
line.
“We don’t have examples in history of that kind of asym- metry and how to handle it,” the staffer said. “Even if you looped in the smartest, most knowledgeable people with all of the letters after their name that you could possibly imagine, they couldn’t sit in a room and say, ‘Ten years from now, this framework will still hold true.’”
In the past year, policymakers have been working behind the scenes to carve out a larger role for U.S. Cyber Com- mand. CyberScoop reported in April that the command
The problem is that many policymakers aren’t sure where those lines are, and some ques- tion whether it’s a good idea to draw them at all.
Langevin said he believes legislation like Yoho’s bill could help the country better police the gray zone around nation- state cyberattacks, but he is concerned that being too specific could increase the potential for a Gulf of Tonkin-like misunderstanding.
“It’s hard to draw red lines in cyberspace as the threats are rapidly evolv- ing,” Langevin said. “We have to be careful about being too prescriptive.”
“It’s hard to draw red lines in cyberspace as the threats are rapidly evolving.We have to be careful about being too prescriptive.”
— REP. JIM LANGEVIN (D-R.I.)
has been steadily win- ning a tug of war with intelligence agencies for supremacy over offen- sive cyber operations, including those taking place outside traditional war zones. More recent- ly, the organization has been encroaching on what is typically con- sidered the Department of Homeland Security’s turf by establishing threat information-shar- ing programs with the banking sector.
Curtis Dukes, former director of the Nation- al Security Agency’s Information Assur- ance Directorate, said unleashing a military organization like Cyber Command to engage in offensive operations without a shared doc- trine for conducting information warfare will have unintended consequences.
That view was echoed
by many others. Speak-
ing on background, a
majority staffer on one of the congressional homeland secu- rity committees was reluctant to offer even a broad outline of a cyberwarfare doctrine, arguing that the unsettled landscape and the potential for new technologies — such as artificial intelligence, quantum computing and augmented reality — to disrupt the status quo mean that any rules established today could be obsolete five years from now.
Even worse, the rules could box officials into enforcing ultimatums that no longer make sense in an evolving policy environment. The staffer compared the situation to Calvin- ball, a game in the comic strip “Calvin and Hobbes” whose only rule is that the rules must constantly change.
“We don’t know with any level of precision what would actually constitute an act of war where we would respond either militarily or using our own cyber offensive capabilities,” Dukes said. “Frankly, that needs to occur if we’re going to use Cyber Command as a capability to protect the homeland.”
A former high-ranking congressional staffer who worked on military cyber policy concurred, saying the U.S. lacks a solid interagency process for weighing risks and examining the trade-offs of such operations.
“I’m sure there are places where it would be appropriate for CyberCom to be more aggressive, but I can tell you, hav- ing sat over at DOD, that CyberCom would bring out some
14 July/August 2018 FCW.COM