Updated Apr 10, 2018 - Politics & Policy

The U.S. still doesn’t have a cybersecurity doctrine

Illustration: Caresse Haaser/Axios

The U.S. still doesn’t have a national cybersecurity doctrine that outlines what would happen to adversaries when they launch cyberattacks against the U.S.

Why it matters: The country's ability to fight back is limited without the overarching doctrine and authority laid out for government agencies. That's a problem given that the midterm elections are coming up, and intelligence leaders have said Russia is showing no signs of letting up on its hacking attempts.

What they're saying:

  • “When you lack a strategy or a doctrine, you don’t have the advantage of deterrence,” Republican Rep. Will Hurd, who serves on the House Homeland Security Committee, told Axios.
  • The concern, as independent Sen. Angus King put it during a recent hearing on election security, is that “the Russians sent in this whole operation in to our election system…and paid no price.”
  • “No one is saying ‘the buck stops here,’” said Democratic Sen. Martin Heinrich.

The impact: The lack of clear lines of authority to respond to cyberattacks — and hacks of U.S. elections — was a big topic at a Senate Intelligence Committee hearing last month. Right now the Department of Homeland Security, the FBI, and the Department of Defense all play roles in defending the U.S. in cyberspace.

Here's how it breaks down:

  • The Department of Homeland Security protects civilian and critical infrastructure, which as of last year includes election infrastructure.
  • The FBI is the lead for investigating cybercrimes and disrupting those trying to commit them.
  • The Department of Defense and intelligence agencies play a role “predominantly when you start going overseas,” according to Robert Silvers, who served as Barack Obama's assistant secretary for cyber policy at DHS.
"I’m a very strong advocate of making it very clear who has the lead."
— Homeland Security Secretary Kirstjen Nielsen

What the White House has done without actually issuing a doctrine: The Trump administration said it would roll out a cyber policy within 90 days after inauguration last year, but the action got delayed.

  • Trump did sign an executive order in May that suggested government agencies use private sector cybersecurity best practices, but it was not a doctrine. It also set off a series of cybersecurity assessments throughout the federal government.
  • A National Security Council official said there were no updates to provide on drafting a doctrine.

The questions a cybersecurity doctrine would have to resolve:

  • Should there be a "red line"? “In the digital world, we're going to see someone get very, very close to that red line" but not cross it, Hurd said. “You do want some strategic ambiguity” left in an ideal doctrine.
  • What should trigger a response? A big question, Hurd said, is whether the U.S. needs to find an individual responsible for a cyberattack, or whether it's enough just to determine that a government entity is responsible.
  • What should the response be? Determining what kinds of attacks deserve a digital response and which ones should provoke other responses — like sanctions, indictments, travel bans, or even a physical attack — brings a host of challenges to the conversation, Hurd said.

What to watch in the meantime: Tom Kellermann, the chief cybersecurity officer at the security company Carbon Black, told me he's worried there will be "a cyber reaction" by Russia in response to the latest sanctions imposed by the U.S.

Go deeper

Sara Fischer
1 hour ago - Technology

Boycott organizers slam Facebook following tense virtual meeting

Illustration: Sarah Grillo/Axios

Civil rights leaders blasted Facebook's top executives shortly after speaking with them on Tuesday, saying that the tech giant's leaders "failed to meet the moment" and were "more interested in having a dialogue than producing outcomes."

Why it matters: The likely fallout from the meeting is that the growing boycott of Facebook's advertising platform, which has reached nearly 1000 companies in less than a month, will extend longer than previously anticipated, deepening Facebook's public relations nightmare.

Go deeper (2 min. read)Arrow
Hans Nichols
2 hours ago - Politics & Policy

Steve Scalise PAC invites donors to fundraiser at Disney World

Photo: Kevin Lamarque-Pool/Getty Images

House Minority Whip Steve Scalise’s PAC is inviting lobbyists to attend a four-day “Summer Meeting” at Disney World's Polynesian Village in Florida, all but daring donors to swallow their concern about coronavirus and contribute $10,000 to his leadership PAC.

Why it matters: Scalise appears to be the first House lawmakers to host an in-person destination fundraiser since the severity of pandemic became clear. The invite for the “Summer Meeting” for the Scalise Leadership Fund, obtained by Axios, makes no mention of COVID-19.

Go deeper (1 min. read)Arrow
Erica Pandey
3 hours ago - Economy & Business

The coronavirus is ushering in a new era of surveillance at work

Illustration: Sarah Grillo/Axios

As companies continue to prepare for the return of their employees to the workplace, they're weighing new types of surveillance in the name of safety.

Why it matters: Just as the coronavirus pandemic has acted as an accelerant for the adoption of remote work, it has also normalized increased surveillance and data collection. In the post-pandemic workplace, our bosses will know a lot more about us than they used to.

Go deeper (1 min. read)Arrow