ROUNDS: A strategy to protect Americans from cyber threats
It is alleged that in recent months, the Russian government conducted cyber hacks of the Democratic National Committee (DNC) server and attempted to hack the Republican National Committee (RNC) email system.
In October 2016, the Department of Homeland Security and the Director of National Intelligence stated that the cyber hackers "intended to interfere with the U.S. election process" — a very serious charge. On Dec. 29, President Obama imposed sanctions against Russian intelligence services and kicked dozens of Russian diplomats out of the country in retaliation.
The DNC hack is a reminder to all Americans that the United States is not immune to damaging cyberattacks from hostile foreign nations and other bad actors. We must update our national security policies to deter such attacks before a future debilitating attack occurs, possibly on civilian critical infrastructure.
Imagine what would happen if a foreign actor interfered with the operations of a nuclear power plant, or shut down the communications that control aircraft operations, rail operations or water releases from large dams. Such an attack on our critical infrastructure could threaten our entire economy or — worse — lead to loss of life. Without an appropriate plan in place to stop or respond to these cyberattacks, we put ourselves at increased risk for a catastrophic attack to occur.
As a member of the Senate Armed Services Committee (SASC), broadening our national defense policies to adequately address cyberattacks on civilian critical infrastructure has been a priority of mine. SASC Chairman John McCain (R-Arizona) recently held a hearing to examine foreign cyber threats. He has also indicated that he will create a new subcommittee within SASC that is solely focused on cybersecurity.
I am glad that Congress included a provision in the 2017 National Defense Authorization Act (NDAA) which would begin the process of defining when an act in cyberspace constitutes an act of war. With language similar to my Cyber Act of War Act, which I co-sponsored with Sen. Angus King (I-Maine), the NDAA will require the administration to determine when a cyberattack on the United States requires a military response. This is vital because, while current policies permit the Pentagon to respond to a cyberattack against military forces, our nation does not have a clear policy to govern our response to attacks on civilian infrastructure. The NDAA seeks to change that.
Defining when a cyberattack requires a military response is but one in a series of steps we must take to deter our enemies from attacking the United States with this new, sophisticated form of aggression. We cannot know if the alleged hacks in 2016 would have been thwarted had the provisions of the Cyber Act of War Act already been in law. What we do know is that, absent a clear message to our adversaries as to when a cyberattack may warrant a U.S. military response, we will not have done all we can to deter devastating attacks in the future.