Current and former Cyber Command and Department of Homeland Security leadership told lawmakers Wednesday that Congressional action is needed to improve interagency cyber strategy coordination and speed up authorities to thwart future threats.
Witnesses at hearings with the House Armed Services Committee (HASC) and its emerging technologies subcommittee cited a lack of a common operating picture for cyber coordination and slow engagement of private sector partners as hindering the ability to deter growing threats.
“I do not think it’s an exaggeration to say that our nation has still not faced up to the threat,” said Rep. Mac Thornberry (R-Texas), HASC chairman, during his opening remarks. “We still have not answered the fundamental question of what we expect the federal government to do to defend our citizens, our businesses, our infrastructure and our society in cyber. Meanwhile, the capabilities of our adversaries and their willingness to use them is growing far faster than our response”
Thornberry’s committee brought in two former DHS secretaries and the the previous leader of NSA and Cyber Command to discuss areas of cyber security coordination that need the most immediate improvement.
Retired Gen. Keith Alexander, the last NSA and Cyber Command leader, said a lack of direction on the use of offensive cyber operations is hindering interagency cooperation on unified efforts to deter adversaries.
“We need to drive towards a solution that brings together our government players in a coherent, policy path that allows us to work with industry to actually defend this nation. And I think it’s doable,” Alexander said.
Congress must facilitate policy discussion on creating “common operational pictures” for interagency collaboration to fix isolated approaches to understanding future threats, according to Alexander.
“We don’t have a common operational picture for cyber. We can’t see, as a nation, other nations attacking us. As a consequence, we have limited abilities to actually defend our nation at network speed which is what will be required in the next few years,” Alexander said.
Jeh Johnson, a former Obama administration DHS secretary, said improved coordination could better facilitate executive decision-making on cyber concerns and allow Cyber Command to more rapidly gain authorities to thwart adversarial threats.
“Among our military cyber security personnel, without getting into too much detail, I know some feel that the law and traditional international principles restrain our ability to use some of our current capabilities,” Johnson said.
On a separate panel later Tuesday afternoon, with the HASC emerging technologies & capabilities subcommittee, lawmakers pressed Adm. Mike Rogers, current leader of Cyber Command on DoD’s role in facilitating a common operating picture.
“Our adversaries have grown more emboldened, conducting increasingly aggressive activities, to increase their influence with limited fear of consequences. We must change our approaches and responses here if we are to change that dynamic,” Rogers said. “Let’s get down to the actual center and sector level, because that’s where it comes to the day-to-day execution. We want to get to speed. We want to get to agility. That a future focus for us moving forward.”
Rogers has previously announced he will retire this spring. Lt. Gen. Paul Nakasone, commander of Army Cyber Command, has been nominated as his successor.
Rep. Elise Stefanik (R-N.Y.), subcommittee chairwoman, said Cyber Command will have to lead the discussion on enacting any future national cyber doctrine.
“While adversaries continue to use cyber as a means to achieve strategic objectives, I remain concerned that we as a government do not have a strategy in place to mitigate, deter or oppose their advances,” Stefanik said.
Both panels discussed the need for a change in approach to get industry partners more involved in cyber discussions without being hindered by a lack of security clearances.
Rogers pointed to his command’s newly acquired acquisition authority allowing for more collaboration with small businesses on capability development.
“Innovation and rapid development demand competition. The ability to leverage all partners, including that of small businesses in the private sector. We intend to create an unclassified collaboration venue where businesses and academia can help tackle tough problems with us without needing to jump through clearance hurdles,” Rogers said.
Michael Chertoff, the former Bush administration DHS Secretary, told HASC lawmakers that private sector critical infrastructure partners need improved information sharing partners, a common threat language and propagation of definitive cyber standards.
Alexander agreed, adding that limited access to clearances will continue to hold up information sharing needed for critical cyber planning.
“Information sharing has to be at network speed if you want to stop the threat,” Alexander said.