Updated Apr 10, 2018

The U.S. still doesn’t have a cybersecurity doctrine

Shannon Vavra

Illustration: Caresse Haaser/Axios

The U.S. still doesn’t have a national cybersecurity doctrine that outlines what would happen to adversaries when they launch cyberattacks against the U.S.

Why it matters: The country's ability to fight back is limited without the overarching doctrine and authority laid out for government agencies. That's a problem given that the midterm elections are coming up, and intelligence leaders have said Russia is showing no signs of letting up on its hacking attempts.

What they're saying:

  • “When you lack a strategy or a doctrine, you don’t have the advantage of deterrence,” Republican Rep. Will Hurd, who serves on the House Homeland Security Committee, told Axios.
  • The concern, as independent Sen. Angus King put it during a recent hearing on election security, is that “the Russians sent in this whole operation in to our election system…and paid no price.”
  • “No one is saying ‘the buck stops here,’” said Democratic Sen. Martin Heinrich.

The impact: The lack of clear lines of authority to respond to cyberattacks — and hacks of U.S. elections — was a big topic at a Senate Intelligence Committee hearing last month. Right now the Department of Homeland Security, the FBI, and the Department of Defense all play roles in defending the U.S. in cyberspace.

Here's how it breaks down:

  • The Department of Homeland Security protects civilian and critical infrastructure, which as of last year includes election infrastructure.
  • The FBI is the lead for investigating cybercrimes and disrupting those trying to commit them.
  • The Department of Defense and intelligence agencies play a role “predominantly when you start going overseas,” according to Robert Silvers, who served as Barack Obama's assistant secretary for cyber policy at DHS.
"I’m a very strong advocate of making it very clear who has the lead."
— Homeland Security Secretary Kirstjen Nielsen

What the White House has done without actually issuing a doctrine: The Trump administration said it would roll out a cyber policy within 90 days after inauguration last year, but the action got delayed.

  • Trump did sign an executive order in May that suggested government agencies use private sector cybersecurity best practices, but it was not a doctrine. It also set off a series of cybersecurity assessments throughout the federal government.
  • A National Security Council official said there were no updates to provide on drafting a doctrine.

The questions a cybersecurity doctrine would have to resolve:

  • Should there be a "red line"? “In the digital world, we're going to see someone get very, very close to that red line" but not cross it, Hurd said. “You do want some strategic ambiguity” left in an ideal doctrine.
  • What should trigger a response? A big question, Hurd said, is whether the U.S. needs to find an individual responsible for a cyberattack, or whether it's enough just to determine that a government entity is responsible.
  • What should the response be? Determining what kinds of attacks deserve a digital response and which ones should provoke other responses — like sanctions, indictments, travel bans, or even a physical attack — brings a host of challenges to the conversation, Hurd said.

What to watch in the meantime: Tom Kellermann, the chief cybersecurity officer at the security company Carbon Black, told me he's worried there will be "a cyber reaction" by Russia in response to the latest sanctions imposed by the U.S.

Go deeper

Axios

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 1 a.m. ET: 664,695 — Total deaths: 30,847 — Total recoveries: 140,156.
  2. U.S.: Leads the world in cases. Total confirmed cases as of 1 a.m. ET: 124,464 — Total deaths: 2,191 — Total recoveries: 1,095.
  3. Federal government latest: President Trump announces new travel advisories for New York, New Jersey and Connecticut, but rules out quarantine enforcement. Per the CDC, residents of those states must now "refrain from non-essential domestic travel for 14 days," with the exception of critical infrastructure industry workers.
  4. State updates: Alaska is latest state to issue a stay-at-home order — New York is trying to nearly triple its hospital capacity in less than a month and has moved its presidential primary to June 23. Some Midwestern swing voters who backed Trump's handling of the virus less than two weeks ago are balking at his call for the U.S. to be "opened up" by Easter.
  5. World updates: In Spain, over 1,400 people were confirmed dead between Thursday to Saturday.
  6. 🚀 Space updates: OneWeb filed for bankruptcy amid the novel coronavirus pandemic.
  7. Hollywood: Tom Hanks and Rita Wilson have returned to U.S. after being treated for coronavirus.
  8. What should I do? Answers about the virus from Axios expertsWhat to know about social distancingQ&A: Minimizing your coronavirus risk
  9. Other resources: CDC on how to avoid the virus, what to do if you get it.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.

Keep ReadingArrowUpdated 1 hour ago - Politics & Policy
Axios

Coronavirus updates: Global death toll tops 30,000

Data: The Center for Systems Science and Engineering at Johns Hopkins, the CDC, and China's Health Ministry. Note: China numbers are for the mainland only and U.S. numbers include repatriated citizens and confirmed plus presumptive cases from the CDC

The novel coronavirus has now killed more than 30,000 people around the world — with Italy reporting over 10,000 deaths, per Johns Hopkins data.

The big picture: The number of deaths from COVID-19 in the U.S. surpassed 2,000 on Saturday. The United States leads the world in confirmed coronavirus infections — more than 124,000 by late Saturday. The number of those recovered from the virus in the U.S. passed the 1,000-mark on Saturday evening.

Go deeperArrowUpdated 2 hours ago - Health
Rebecca Falconer

Trump rules out quarantine in New York, New Jersey, Connecticut after pushback

President Trump on the White House grounds on Saturdya. Photo: Sarah Silbiger/Getty Images

President Trump tweeted Saturday night that he's decided not to introduce quarantine enforcement measures fo New York, New Jersey and parts of Connecticut, but a "strong" travel advisory will be issued for those states. The CDC later announced domestic travel restrictions for the states.

Why it matters: Trump said hours earlier he was considering quarantine measures to combat the rise in novel coronavirus cases. But he received pushback, notably from New York Gov. Andrew Cuomo (D), who told CNN such a measure would cause "chaos." "This would be a federal declaration of war on states," Cuomo added.

Go deeperArrowUpdated 5 hours ago - Health