Congress demands cyber details while DOD aims for ambiguity
WASHINGTON — Amid a rising din of reports of online incursions and Internet-based attacks, Congress wants to know why the Pentagon still hasn’t revealed its basic cyberdefense ground rules.
By law, the Department of Defense was required to report on its cyberwar policies to Congress by March 1, a deadline it missed. And the much-heralded Pentagon cyberstrategy released last week didn’t clarify the matter, according to a letter sent to the defense secretary Wednesday by Sen. John McCain, R-Ariz., and Sen. Carl Levin, D-Mich.
“The continued failure to address and define the policies and legal authorities necessary for the Pentagon to operate in the cyberspace domain remains a significant gap in our national security that must be addressed,” they wrote.
Pentagon spokesman Col. David Lapan said Thursday the Pentagon has requested an extension.
“The report was originally due in March, but the department requested an extension until July so that we can complete all this stuff,” he said. “It is anticipated we will meet that deadline by the end of the month.”
In the meantime, the Pentagon has left many weighty questions hanging, McCain and Levin wrote, including:
- What constitutes an act of war in cyberspace?
- What are the rules of engagement for commanders?
- What is the relationship between attacks on enemy computer networks and attacks with conventional weapons?
So why is there so much confusion over defining acts of war and appropriate responses in the cyberdomain? For one thing, experts said the Pentagon is likely being purposefully ambiguous.
At a press conference following the announcement of the Pentagon cyberstrategy, Deputy Secretary of Defense William Lynn admitted as much. When asked to define acts of cyberwar, he said, “there is some value in keeping it somewhat ambiguous, as a deterrent.”
Some Congressional concerns might have been allayed if the heavily defense-oriented Pentagon cyberstrategy had been more “muscular” and offense oriented, said Frank J. Cilluffo, director of the Homeland Security Policy Institute at George Washington University. Such a document would give potential adversaries a reason to think twice.
“I thought the strategy clearly fell short on articulating our rules of engagement and … our ability to deter and compel various threat actors,” Cilluffo said. “We want to retain some strategic ambiguity, but at the same time we need to be able to make the case that there are certain attacks that predicate a response.”
Another reason for the confusion, said James Lewis, a cybersecurity and technology expert at the Center for Strategic and International Studies, is how loosely terms are thrown around.
“People like using military terms,” Lewis said. Thus, the general public considers everything from teens defacing a website to probing a computer network to be a cyberattack. Pentagon cyberwarriors work by different definitions, Lewis said.
“When I talk to people at the Pentagon, I don’t find confusion over what’s an attack and what’s not,” he said. “But I think they don’t want to lay all that out clearly either.”