Director of National Intelligence Dan Coats told senators Tuesday that an administration policy on cyber warfare is still a “work in progress” as the weigh the “dicey” prospect of going on offense.
Coats testified before the Senate Armed Services Committee on worldwide threats that the cyber threat “is one of my greatest concerns and top priorities of our office.”
“From U.S. businesses to the federal government to state and local governments, we are under cyber attack,” he declared. “While state actors pose the greatest cyber threats, the democratization of cyber capabilities worldwide has enabled and emboldened a broader range of actors to pursue their malign activities against us.”
“We assess that Russia is likely to continue to pursue even more aggressive cyber attacks with the intent of degrading our democratic values and weakening our alliances. Persistent and disruptive cyber and influence operations will continue against United States and European countries and other allies, using elections as opportunities to undermine democracy and sow discord and undermine our values.”
In addition to Russia, he said, Chinese, Iranian and North Korean cyber actors “continue to build off past successes to improve the scope and scale of their cyber capabilities.”
Coats said Russia is emboldened by feeling their past influence operations have been successful and “views the 2018 U.S. midterm elections as a potential target.”
“We continue to see Russian activities designed to exacerbate social and political fissures in the United States,” he said. “In the next year, we assess Russia will continue to use propaganda, social media, false flag personas, sympathetic spokesmen and other means of influence to try to build on its wide range of disruptive operations.”
Defense Intelligence Agency Director Lt. Gen. Robert Ashley listed cyber among myriad threats the U.S. faces, noting that “our top competitors are developing and using cyberspace to increase their operational reach into our military and civilian systems, exploiting our vulnerabilities and challenging the adequacy of our defense.”
Upon questioning about U.S. cyber posture, Coats told lawmakers that there are “ongoing discussions among a number of our agencies — Department of Homeland Security, Department of Defense, the State Department and others — relative to the cyber threat.”
“Our office recently met with three of the most — current agencies dealing with this, NSA and others, to talk about the effect of cyber on the upcoming elections, but as well as the impact of that,” he said. “It’s a whole-of-government approach. I have discussed it personally with the president of the United States. He has said, ‘I assume you’re doing your job, all of you who head up these agencies relative to cyber. But if you need for me to say — direct you do it, do it.'”
Ranking Member Jack Reed (D-R.I.) acknowledged that discussions are ongoing but “the plan of action and the direction to take action seems to be missing.”
“Do you believe that this country today has an appropriate and clear policy with regard to cyber warfare?” asked Sen. Mike Rounds (R-S.D.).
“No. I think that’s a work in process, and needs to be in process,” Coats replied. “And I do believe there’s real concern that we take action because we’re seeing the results of our adversaries using cyber to degrade any number of things here in the United States.”
Stressing again the “whole-of-government effort” roping in various agencies and stakeholders and the “very significant threat to the United States,” the DNI called it “a dicey issue.”
“We know the capabilities, and been on the losing end of some of those capabilities, of our other cyber actors. Starting a potential retaliation for actions that are taken from an offensive response have to be weighed in the context of all that. Our critical infrastructure, which a number of efforts are underway to protect that infrastructure, but we still haven’t, from a policy standpoint, either from the executive branch or the congressional branch, defined exactly what that is and how we’re going to support those defenses,” Coats said. “And then the question of response, I think is something that really needs to be discussed, because there are pros and cons about how we should do that.”
“I have personally been an advocate of playing offense as well as defense. I think we’ve done a pretty good job on defense, but we don’t have an offensive plan in place that we have agreed on to be the policy of the United States.”
Coats said the “continuing influence by the Russians” is understood in the administration, but he couldn’t answer “which agency or which individual person is taking the lead, at this point.”
Ashley emphasized that “cyber is a weapons system,” but “in terms of looking at the context of the nature and the character of war, you know, we no longer have the Westphalia, everybody lines up on the border — 1648, right? — and we come across.”
“So the line of which you declare hostilities is extremely blurred, and if you were to ask Russia and China, ‘Do you think you’re at some form of conflict with the U.S.?’ I think behind closed doors their answer would be yes,” the DIA chief said. “So it’s hard to make that determination to definitively say, you know, what constitutes an act of war when you’re in the gray zone in a lot of the areas that you operate.”
Asked when lawmakers can expect a cyber plan from the administration, Coats said he couldn’t give a specific date.
Sen. Lindsey Graham (R-S.C.) brought up the policy of mutually assured destruction. “If we’re attacked by nuclear weapons, we will wipe out the country who attacked us,” he said. “Do we have anything like that in the cyber arena?”
“Not to my knowledge,” replied Coats.
“Do you think we’d be well served to let countries know you attack America through cyberspace at your own peril?” Graham asked.
“Well, I think that message has already been delivered, but if it hasn’t, it needs to be,” said the director of National Intelligence.