The Pentagon is still grappling with how to write the rules of cyberwarfare, such as when and how to fire back against a computer-based attack, senior military leaders told Congress July 25.
Four months ago the military’s top cyberwarrior predicted the rules would be ironed out in a “month or two” and sent to other federal agencies for discussion. But the complex world of cyberspace, which has no real boundaries and operates at the speed of light, has proven to be a difficult battlefield for the military to map out.
House members said that working out the rules of cyberwar is critical so that the military will be able to respond quickly when U.S. networks are attacked or threatened. Rep. Mac Thornberry, R-Texas, told military leaders that there likely won’t be time for Congress to pass a declaration of war if or when a computer-based attack happens.
So, consultation with lawmakers beforehand would smooth things over, said Thornberry, chairman of the House Armed Services emerging threats subcommittee.
“The devil is in the details,” acknowledged Vice Adm. Michael Rogers, commander of the Navy’s Fleet Cyber Command. He said it has been an issue for some time, and that he expects there will be some developments “at some point in the near term.”
During hearings in March, members of Congress pressed Army Gen. Keith Alexander, head of U.S. Cyber Command, for details on the military rules of engagement for offensive cyberoperations, particularly so that U.S. forces have the proper authority to act quickly when an attack is discovered or a network is breached. Alexander, who also heads the secretive National Security Agency, said at the time that U.S. officials were reaching some agreement on the rules.
The military has longstanding rules of engagement for conventional warfare that lay out the appropriate response to a particular act or attack by another country or faction. And last year President Barack Obama signed execute orders that detailed how far military commanders around the globe can go in using cyberattacks against enemies and laid out when the military must seek presidential approval for a specific cyberassault.
The current ground rules for cyberoperations were written in 2005, but are not adequate for the current technologies. The new rules, said Alexander in March, would allow the military to stop breaches as they were happening and would detail the conditions necessary to take those actions.
Senior officers from the Army, Navy, Air Force and Marine Corps who are responsible for cyberoperations testified before the subcommittee. They said that the armed services are using bonuses and other enticements to recruit and retain cyberwarriors, while competing with private industry for candidates.
But lawmakers wondered about funding shortfalls that could stifle the increase in cyberpersonnel the Pentagon is bringing on.
“We are facing significant fiscal challenges in the coming years,” said Rep. Jim Langevin, D-R.I. “Cyberrelated activities are faring reasonably well so far, but nothing is immune, and even noncyberspecific cuts could have an impact on your commands as personnel resources are reduced or research and development funding decreased.”
Rogers said that attracting and keeping his cyberworkforce is a “significant challenge, given the rapidly evolving nature of cyberspace and the intense competition from industry for top talent.”
And other said that dramatic budget cuts, which will become necessary early next year if Congress can’t agree on funding, would be a problem.
Maj. Gen. Suzanne Vautrinot, commander of Air Forces Cyber, said the cuts would be devastating and cause the Air Force to lose ground.
As to the size of their cyberworkforce, the Air Force has about 17,000, the Army has about 11,000; the Navy has about 14,000; and the Marines have about 700. Cyber has been one defense area where spending has increased, even as budget cuts hit other places.
Vautrinot also noted that the Air Force has been working to make sure that key drone operations are protected against cyberattacks, focusing on the highest priority missions. Last year, a computer virus infected the Pentagon’s drone program, but it did not get into flight controls.