The main responsibility of the federal government is the defense of our nation. Today, that responsibility entails the need to protect our nation against emerging threats, one of the most significant of which is in the cyber domain.
Now, more than ever, our national defense strategy must include protecting our Armed Forces and civilian infrastructure from cyber-attacks by highly-capable adversaries. If the federal government fails to fulfill this requirement, the United States could suffer military defeat, long-lasting widespread destruction and extensive loss of life.
When Al-Qaeda terrorists attacked our country 17 years ago on September 11th, they used commercial airplanes as their weapons. These days, our adversaries have the ability to wreak havoc from thousands of miles away, with a computer as their weapon. Take the 2016 election. While ultimately unsuccessful, we know that Russia attempted to get into at least 20 of our state election systems.
That was part of their ongoing effort to discredit the integrity of our free and fair elections, coupled with disinformation and fake advertising on popular sites such as Facebook and Twitter. Their goal is to create chaos and distrust in our system of government. So far, they have been unsuccessful, but they and potentially other adversaries will continue trying to impact our elections as well as other democratic elections around the world. This is why we need a clear plan to defend and retaliate against cyber attackers and ultimately deter them from attacking us in the first place.
Now, more than ever, our national defense strategy must include protecting our Armed Forces and civilian infrastructure from cyber-attacks by highly-capable adversaries.
Both Russia and China are near-peer competitors. Other countries with much less military power could also cause damage with little effort, even though their military technology and resources may be limited. Iran, as an example, can’t compete with us on the battlefield, yet it could attack our electric grid or banking system. In so doing, a hostile actor could use cyber-attacks to level the battlefield and impact our military advantage born of expensive technology. In other words, the superior weapons we have acquired over several generations to dominate the land, sea and air domains are at risk. More specifically, because we rely on cyber technology to operate our weapon systems such as aircraft, ships and military infrastructure, a cyber-attack could diminish these traditional tools of war.
As a member of the Senate Armed Services Committee (SASC) and Chairman of the Subcommittee on Cybersecurity, I, along with my colleagues, have over the past 20 months conducted cyber-related oversight of the Defense Department, with an eye toward a robust combat-ready Cyber Mission Force as well as a strategy and policies that enable that force to respond rapidly and effectively. Maximizing the readiness of this force has been a particular area of focus for the subcommittee.
The readiness of the Cyber Mission Force must be considered in the context of the cyber threat. Cyber-attacks on the United States present an attractive option for our adversaries, because they can attack us in cyber-space without necessarily provoking a kinetic response by highly capable and for the most part superior U.S. “conventional” military means. Additionally, the Defense Science Board has stated that for the next 10 years, the United States will not be able to defend its critical assets from a cyber-attack by our most advanced adversaries. This underscores the need for a strong cyber deterrent strategy to convince our adversaries that they will pay a significant price if they attack us in cyber-space just as they would if they attacked us with kinetic means.
Although the United States has a formidable cyber capability to deter adversaries, employment of that capability has been hamstrung for years by Presidential Policy Directive 20 (PPD 20). Though based upon the laudable goal of implementing a whole-of-government approach to cyber operations, PPD20 rendered the conduct of offensive cyber operations hostage to a consensus-based interagency process that almost completely negated our nation’s ability to conduct such operations. More specifically, this process has precluded U.S. Cyber Command from swiftly and preemptively thwarting an imminent cyber-attack based upon near real time intelligence. This makes news reports that the Trump Administration has decided to reconsider PPD 20 very encouraging. We have played defense long enough when it comes to cybersecurity. It is time to go on offense. We also have to make it more expensive to successfully attack us by improved cyber defenses.
We have played defense long enough when it comes to cybersecurity. It is time to go on offense.
While the work of the Cybersecurity Subcommittee is focused on the Defense Department, we continue work with our colleagues on and off the Senate Armed Services Committee to oversee the administration’s inter-agency plans, programs and policies for the purpose of protecting critical national infrastructure, most of which is in the private sector. A cyber-attack on our critical national infrastructure – such as our electric grid, transportation system and financial system – could lead to devastating, possibly irreversible damage as well as tremendous loss of life and suffering by the American people.
Out of concern that we lacked a clearly articulated strategy to deter such attacks, I introduced the Cyber Act of War Act two years ago to require the Administration to develop a policy to determine when a cyber-attack constitutes on act of war. A version of this provision was signed into law as part of the National Defense Authorization Act for Fiscal Year 2017. Unfortunately, the Administration has yet to fulfill this statutory requirement.
The U.S. Armed Forces and its men and women who wear the uniform remain the greatest in the world and have repeatedly demonstrated dominance in the traditional military domains of land, sea and air. We must now expand our military dominance to include the cyber domain. Preeminence in the cyber domain is vital to succeed in the other domains — air, land and sea — as well as to protect our homeland.
We have a great deal of work ahead, but I am confident that we will succeed thanks to the outstanding Americans who serve our country in and out of uniform.
Mike Rounds represents South Dakota in the United States Senate. He serves as Chairman of the Armed Services Subcommittee on Cybersecurity.