Rebuking the Trump Administration for its “passivity,” Congress is pressing the Department of Defense to engage in “active defense” in cyberspace against Russia, China, North Korea and Iran.
A new provision in the conference report on the FY2019 national defense authorization act (sect. 1642) would “authorize the National Command Authority to direct the Commander, U.S. Cyber Command, to take appropriate and proportional action through cyberspace to disrupt, defeat, and deter systematic and ongoing attacks by the Russian Federation in cyberspace.” It would further “add authorizations for action against the People’s Republic of China, the Democratic People’s Republic of Korea, and the Islamic Republic of Iran.”
“The conferees have been disappointed with the past responses of the executive branch to adversary cyberattacks and urge the President to respond to the continuous aggression that we see, for example, in Russia’s information operations against the United States and European allies in an attempt to undermine democracy.”
“The administration’s passivity in combating this campaign. . . will encourage rather than dissuade additional aggression.”
“The conferees strongly encourage the President to defend the American people and institutions of government from foreign intervention,” the report language said.
The congressional report does not propose an actual cyber strategy, nor does it specify desired outcomes, or address unintended consequences.
Another provision in the new conference report says that the Department of Defense ought to be just as assertive and “aggressive” in cyberspace as it is elsewhere (sect. 1632).
“The conferees see no logical, legal, or practical reason for allowing extensive clandestine traditional military activities in all other operational domains (air, sea, ground, and space) but not in cyberspace,” the report said.
“It is unfortunate that the executive branch has squandered years in interagency deliberations that failed to recognize this basic fact and that this legislative action has proven necessary.”
“The conferees agree that the Department should conduct aggressive information operations to deter adversaries.”
Curiously, the report found it necessary to add that “the conferees do not intend this affirmation as an authorization of clandestine activities against the American people.”
In general, another provision (sect. 1636) states, the U.S. needs to be ready for war in cyberspace:
“It shall be the policy of the United States, with respect to matters pertaining to cyberspace, cybersecurity, and cyber warfare, the United States should employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond to when necessary, all cyber attacks or other malicious cyber activities of foreign powers that target United States interests with the intent to… cause casualties among United States persons or persons of United States allies; significantly disrupt the normal functioning of United States democratic society or government (including attacks against critical infrastructure that could damage systems used to provide key services to the public or government); threaten the command and control of the Armed Forces, the freedom of maneuver of the Armed Forces, or the industrial base or other infrastructure on which the United States Armed Forces rely to defend United States interests and commitments; or achieve an effect, whether individually or in aggregate, comparable to an armed attack or imperil a vital interest of the United States.”