McCain Chides White House on Cyberwarfare Policy Work; NSA Head Notes Russia Threat

The administration's failure to produce the report and other factors indicate the U.S. remains “woefully unprepared” to combat cyberthreats posed by Russia and other nations, McCain said. NSA Director Michael Rogers, who also leads the U.S. Cyber Command, told a Senate Armed Services hearing he agrees the U.S. hasn't fully implemented a cyber strategy but is working on it. Such a policy will be needed given indications Russia hasn't reduced cyber operations aimed at influencing other countries' elections, Rogers said.

The administration wasn't able to meet the 90-day self-imposed cyber strategy deadline but “the new team is working on it,” Rogers told the committee. McCain joked he hoped the “check's in the mail” but earlier said it was “disheartening” the White House had failed to meet its deadline. “We were hopeful that after years without any serious effort to develop a cyber deterrence policy and strategy from the last administration, the new administration promised one within 90 days of the inauguration,” McCain said. “Ninety days have come and gone, and no such policy and strategy has been provided.” The Trump administration has delayed other aspects of its cybersecurity policy work, including a planned executive order that remains under development months after the White House postponed an intended late January signing ceremony (see 1701310066, 1702280065 and 1704270029).

“I have not” seen any evidence to indicate that Russia is reducing its use of cyber tools to meddle in other nations' elections as U.S. intelligence agencies charge occurred during the 2016 U.S. presidential election, Rogers said. U.S. officials warned their French colleagues that Russia was attempting to use similar tactics in that country's now-concluded presidential election (see 1705080001). French cybersecurity officials are investigating what they described as a “very serious” breach of now President-elect Emmanuel Macron's campaign information systems before that nation's Sunday election. The breach resulted in the leaking of Macron campaign team emails and other data.

Russia and others “need to know we will publicly identify this behavior” and “there is a price to pay for doing this,” Rogers said. He said the U.S. is similarly working with German and U.K. cyber officials before those countries' elections later this year to “figure out how we learn from each other.” State actors “have grown more sophisticated and assertive” in cyberspace, to the point that a worst-case cyberattack scenario for the U.S. likely includes both “outright destructive attacks focused on some aspects of critical infrastructure” and “massive” data manipulation, Rogers said. Most actors' cyberattacks thus far have involved only “penetration and extraction” tactics aimed at data theft, so outright data manipulation presents “a very different kind of challenge” for the U.S., he said. A worst-case scenario also likely will involve non-state actors who “decide that cyber now is an attractive weapon and enables them to destroy the status quo,” Rogers said.

U.S. Cyber Command is on track to reach its full operational potential in 2018, though the military still faces ongoing hurdles to making the command sustainable in the long term. McCain noted significant turnover in cyber-focused roles within the military, which Rogers also acknowledged. “We need a broad range of skills, and many of the best candidates won't necessarily have advanced educations but have deep experience in the field,” he said: The military “can't keep relying on five-to-10-year development cycles in terms of manpower.”