Trump, senators headed for clash on cyber policy

Senators are barreling toward a clash with the Trump administration over how to deter and respond to cyberattacks.

The Senate is taking up annual defense policy legislation this week that would set a national policy for cybersecurity and cyber warfare, an effort the Trump administration has fought in the past, arguing it would infringe on the president’s authorities.

{mosads}The Senate Armed Services Committee’s decision to include the provision in its version of the National Defense Authorization Act (NDAA) reflects frustration that has built up over the years as a result of what lawmakers see as a lack of urgency in the executive branch to set a comprehensive cyber strategy.

“If we don’t develop a cyber policy and a doctrine, these attacks are just simply going to continue and at one point, one of them is going to be catastrophic and people are going to say, ‘why didn’t you do anything?’ ” Sen. Angus King (I-Maine), a member of the Armed Services Committee, told The Hill.

Armed Services Chairman John McCain (R-Ariz.) has been at the forefront in pressing officials in the Obama and Trump administrations to lay out a comprehensive cyber strategy that would provide a road map for responding to cyberattacks and deter would-be attackers by spelling out clear consequences.

The defense bill that Trump signed last year required his administration to develop a national policy for cyberspace and cyber warfare. In April, the president submitted that report to Congress, but in classified form, meaning its details are sealed from the public.

Senators were left unsatisfied.

“I didn’t think it was clear and unequivocal enough,” King said. “It’s got to be a doctrine that our adversaries understand if it’s going to act as a deterrent.”

The committee’s version of the fiscal 2019 NDAA would make it the policy of the United States to “employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond when necessary” to cyberattacks and nefarious cyber activity that disrupt society or threaten lives, infrastructure or the military.

It would also direct the U.S. to “plan, develop, and demonstrate response options to address the full range of potential cyber attacks on United States interests” and make adversaries aware of U.S. cyber capabilities.

Additionally, it would make it U.S. policy to notify and urge any foreign government to take steps to eliminate malicious cyber activity when that activity relies on networks or infrastructure in that particular country. Should that government fail to act, because they can’t or won’t, the U.S. would “reserve the right to act unilaterally” with or without that government’s consent.

The report accompanying the bill explains the motivation behind the provision.

“The committee has long expressed its concern with the lack of an effective strategy and policy for addressing cyber threats and cyber deterrence,” it states, citing “numerous provisions” in recent versions of the annual bill designed to press the executive branch to act.

“Unfortunately, the committee believes the responses to those requests have been insufficient hitherto and incommensurate with the threat we face in the cyber domain,” the report states.

The provision is certain to spark a fight with the administration, which sees such language as tying the president’s hands.

A near-identical provision included in the Senate’s 2018 version of the bill triggered strong backlash from the Office of Management and Budget (OMB). The office said in a statement last year that it would infringe on the president’s authority and “constrain” his decision space.

“This section would enact certain foreign policy and military determinations that are traditionally within the purview of the President,” the statement read.

Ultimately, a more watered-down version of the provision mandating that Trump himself establish a cyber policy was included in a compromise bill.

A spokesman for OMB did not respond to a request for comment on the cyber policy provision in the latest NDAA.

Experts contend that developing a comprehensive cyber policy that sets consequences for adversaries in cyberspace while allowing officials the flexibility to respond to unique situations is no small feat.

“It’s important that our leaders think through what kinds of consequences would be warranted. You also can see how decisionmakers want to maintain maximum flexibility,” said Michael Sulmeyer, a former cyber policy official at the Pentagon.

The challenge, Sulmeyer said, is that any effective deterrence strategy would inevitably need to include potential responses outside the cyber realm — such as economic sanctions, law enforcement and military actions.

“That’s a much broader set of national decisions that need to be made,” said Sulmeyer, who now directs the cybersecurity project at Harvard University’s Belfer Center.

Some have also warned of the pitfalls of drawing clear “red lines” in cyberspace.

“One of the concerns that people voice is that it encourages an adversary to march right up to that line and stop just short of it to see exactly how committed the United States is to that threshold,” Sulmeyer said.

Lawmakers from both parties have long worried that not spelling out clear penalties for digital attacks has simply invited adversaries to keep attacking.

“The lack of decisive and clearly articulated consequences to cyberattacks against our country has served as an open invitation to foreign adversaries and malicious cyber actors to continue attacking the United States,” a bipartisan group of senators, including Sen. Mike Rounds (R-S.D.), the chairman of the Armed Services Subcommittee on Cybersecurity, wrote to Trump in March. They urged him to announce a national cyber deterrence strategy “as soon as possible.”

The deliberations over the 2019 NDAA also come amid concerns over the administration’s decision to eliminate the White House cyber coordinator position, a role dedicated to coordinating cyber policy across the federal government.

The National Security Council has said the decision was meant to streamline management and improve coordination between the council’s senior directors working on cyber policy.

The move brought a flood of criticism from Democrats. In late May, Sen. Susan Collins (R-Maine) joined with Sen. Martin Heinrich (D-N.M.) in sharing their concerns to Trump.

“In our view, an empowered cybersecurity coordinator is needed to drive and oversee a comprehensive, White House-issued cybersecurity strategy to include deterrence, defense, and network resilience that coordinates U.S. government efforts across the various departments and agencies,” they wrote.

“Bipartisan support exists in the Senate for rolling out a cybersecurity strategy as soon as possible.”

The Senate voted Monday evening to begin debate on the NDAA.

There could be a hurdle, however, for lawmakers looking to institute a national cyber policy.

Once the legislation passes the Senate, lawmakers from both chambers will hash out the final details of a compromise bill. The House version, though, which easily passed the lower chamber in May, does not include a provision setting forth a cyber policy.