With an increased focus on cybersecurity after a spate of high-profile cyberattacks on U.S. government and business organizations since late last year, members of Congress are continuing to call for a clearly defined national cyber deterrent policy. Three prime movers on cybersecurity legislation Congress – Sen. Angus King, I-Maine, and Reps. John Katko, R-N.Y., and Yvette Clarke, D-N.Y. – explained the need to codify a cyber deterrence policy at the Aspen Cyber Summit Oct. 6.
Sen. King, a member of the Cyberspace Solarium Commission, said it’s important that the Biden administration implement the commission’s recommendation to develop a clear guideline for adversaries about the consequences of a cyberattack.
“I think the most important thing is for the administration and the President to develop a clearly articulated declaratory deterrent policy, a deterrence doctrine to put our adversaries on notice that they will pay a price for attacking us in cyberspace,” Sen. King said during a panel discussion. “I think one of the great gaps in our national response has been a tepid or non-response to these series of attacks that we’ve seen over the past 15 or 20 years.”
The Solarium Commission’s Annual Report on Implementation recommends a strategic layered cyber deterrence policy. While Congress has completed part of the strategy’s recommendation – establishing and confirming Chris Inglis as the nation’s first National Cyber Director – other parts of establishing a deterrence policy remain uncompleted. Sen. King advocated that the administration follow through on the commission’s recommendation to issue an updated National Security Strategy that clearly defines the nation’s cyber deterrence policy.
Sen. King said that right now the nation is working with what it has using the Cybersecurity and Infrastructure Security Agency (CISA) and other cybersecurity enforcement methods, and noted that Congress is currently working in both chambers to pass cyber incident reporting laws. He said the nation needs to be clear that there are consequences of cyberattacks on American critical infrastructure.
“The best cyberattack is the one that doesn’t occur,” Sen. King said. “And right now, we’re a cheap date and our adversaries are not. They don’t really fear consequences [and] I think the Russians are starting to figure that out. But I think if I could do one single thing it would be to have the White House, articulate a clear and definitive declaratory cyber doctrine.”
Rep. Katko, ranking member on the House Committee on Homeland Security, echoed Sen. King’s calls for clear cyber deterrence and the need to project strength in the cyber realm. He championed the work the commission is doing and added that both he and Rep. Clarke are working on legislation to build the nation’s cyber defenses.
Rep. Katko introduced the Securing Systemically Important Critical Infrastructure Act Oct. 5 that would direct CISA to designate which critical infrastructure are systemically important and prioritize cybersecurity services for those owners and operators.
“There’s no deterrent effect right now in the cyber realm,” Rep. Katko said. “We’ve got a lot of things that we’re talking about, and [Rep. Clarke] does a great job and all of us from the Solarium on down, to harden our systems and make us less vulnerable. But the thing that makes us most vulnerable is not responding, and there’s no question about that.”
Rep. Clarke, chair of the House Homeland Cybersecurity, Infrastructure Protection, and Innovation Subcommittee, agreed with Sen. King and Rep. Katko and said the administration understands the task ahead of them when it comes to creating resilient critical infrastructure.
“I think they can clearly understand, given the volume of attacks on our critical infrastructure in particular that we’ve had, that they have to get on the ball,” Rep. Clarke said. “I think that certainly what Senator King and Congressman Katko have stated about sort of building out an international framework and making sure that we enter into a new realm of understanding in that space is critical at this time.”
“I have no doubt that the administration recognizes the bad actors from nation-states and what that means for our infrastructure,” Rep. Clarke added. “And that they will indeed put forth the type of foreign policy initiatives that will serve as a deterrent and also strengthen our ability to react when need be.”