When the chairman of the Senate Armed Services Committee has to threaten to subpeona the White House cybersecurity coordinator to testify on the current status of the nation’s cybersecurity strategy heading into the next round of national elections, it is fair to conclude the nation is in for another nightmare scenario at the hands of Vladimir Putin.
Sen. John McCain, R-Ariz., presided over a hearing Thursday attended by all of the principal Federal cybersecurity officials accept one. Senators addressed an empty seat that should have been filled by Rob Joyce, a member of the National Security Council and the Trump administration’s cybersecurity coordinator.
“Many of us know Mr. Joyce and respect him deeply for his experience and expertise on cyber and his many years of service,” McCain said. “Unfortunately, but not surprisingly, the White House declined to have its cyber coordinator testify citing executive privilege and precedent against having non-confirmed NSC staff testify before congress.
“To me, the empty chair before us represents a fundamental misalignment between authority and accountability in our government today when it comes to cyber,” McCain said. “Mr. Joyce’s absence here, whose job it is to do all of this, is an example frankly of the disarray in which this whole issue rests.”
McCain said the committee would discuss the possibility of issuing a subpoena to force Joyce to appear before the committee.
“So when we, the elected representatives of the American people, ask who has sufficient authority to protect and defend our nation from cyber threats and who is accountable to us for accomplishing that mission, the answer is quite literally no one.”
— Sen. John McCain
Several top cybersecurity officials testified at Thursday’s hearing, including Kenneth Rapuano, the Pentagon’s assistant Defense secretary for homeland defense and global security; Scott Smith, the assistant director for the FBI’s cyber division; and Christopher Krebs, the acting undersecretary at the Department of Homeland Security charged with protecting federal civilian networks and critical infrastructure from cyber threats.
But Joyce’s failure to appear before congress and the inability of those who did testify to say whether or not they would consider an attack on state election databases an attack against the country underscore how little progress has been made on developing a national cybersecurity doctrine. Even the chart presented to the Armed Services Committee depicting the roles and responsibilities of Federal agencies was five years old — created two years before the North Korean cyberattack on Sony.
“To be clear, we are not succeeding. For years we have lacked policies and strategies to counter our adversaries in the cyber domain and we still do,” McCain said. Joyce’s position in the White House “lacks the full authority to make cyber policy and strategy and direct our government’s efforts,” McCain added. “And that official is literally prohibited by legal precedent from appearing before the congress. So when we, the elected representatives of the American people, ask who has sufficient authority to protect and defend our nation from cyber threats and who is accountable to us for accomplishing that mission, the answer is quite literally no one.”
The FBI’s Smith assured Senators that the bureau had not stopped its election security work. The FBI has established an election fusion cell at FBI headquarters that is actively working with other government agencies to prepare for the 2018 midterm elections and the likelihood that the Russians will once again attempt to influence and discredit the results.
Of course, none of these bureaucratic responses to organizational and coordination issues amount to a strategy or a doctrine. The last time the U.S. had an official national-level doctrine was the Doctrine of Containment, a military doctrine targeting the expansion of the Soviet Union that was phased out at the end of the Cold War. Since then, nobody in government has articulated anything approaching a cyber doctrine for a world where digital attacks are potential acts of war. Instead, the nation jumps from one crisis to the next with no consistency in the cost analysis for our adversaries.
“Cyber is warfare. It is an attempt to destroy a democracy,” McCain said. “That’s what Mr. Putin is all about.”