In event of cyberattack, who's in charge?
Connecting state and local government leaders
Lawmakers say lines of authority over defending cyberspace aren't clearly defined, and that a formal plan for response is missing.
Although the United States is building up a series of organizations and systems to defend its vital infrastructure from cyberattack, coordinating and managing this massive edifice remains a challenge. This lack of overall authority and strategic direction was a key topic brought up by government and private-sector groups in congressional testimony last week.
Speaking at a House Armed Services Subcommittee hearing on Emerging Threats and Capabilities, members of Congress and other speakers raised their concerns about the challenges facing national cyber defense. Defining clear lines of authority remains an issue that must be worked out.
Subcommittee chairman Max Thornberry (R-Texas) said that if enemy aircraft or ships attack U.S. territory, there are clear rules to invoke a military response. But how should the nation respond if there is an attack from cyberspace, he asked. Specifically, he wondered if the Defense Department or the federal government is able and authorized to commit to a response.
Related coverage:
Two years later, U.S. still not prepared to secure cyberspace, report warns
Determining what part of the government should respond to an attack remains a challenge due to a variety of factors, such as the nature of the attack, determining if and when an attack is taking place and where the attack came from. The Stars and Stripes reported that there is still no definite agreement between Congress, the White House, the intelligence community, the Defense and Homeland Security departments and industry stakeholders about who should watch over certain networks and respond in different cyberattack scenarios.
Some steps have been taken. The Stars and Stripes noted that two bills introduced last year seek to establish explicit lines of federal authority. The administration has also ordered the DOD and DHS to assign observers to sit in on each other’s cybersecurity operations to promote better coordination.
But House subcommittee members remained skeptical. “I have to say, I’m afraid many in industry and in government still fail to appreciate the urgency of this threat. Since I began working on this issue, I’ve been disappointed by the overall lack of serious response and commitment to this issue,” said Rep. James Langevin (D-R.I.).
Industry groups cautioned against a direct government takeover of the Internet during an emergency. Gregory Nojeim of the Center for Democracy and Technology warned that shutting down commercial computer networks in a crisis could have unforeseen effects, and may even make matters worse.
Speaking for the nation’s electric grid operators, Gerry Cauley, CEO of the North American Electric Reliability Corp., maintained that industry is constantly improving its security and developing new ways to handle crises. He said that the military should only step in if private firms are overwhelmed by a massive attack.
The ultimate answer to sorting out cyberspace jurisdictional issues between the DOD and DHS lies with Congress, said Rep. Hank Johnson (D-Ga.). “Just as the military does not police our streets, it should not police our civilian cyber infrastructure. But we must ensure that the armed forces have the necessary tools to protect and defend the country from cyber warfare,” he said.
NEXT STORY: Death, taxes – and spam in your inbox