Amid budding sentiment in the Trump administration and Congress to expand offensive cyber operations, some lawmakers and experts are warning that the United States needs to get its defenses in order before going too far down that road.
A House Homeland Security subcommittee on Tuesday examined how to deter foreign cyberattacks, with an emphasis on the role U.S. attacks could play in countering them. One long-running concern about improving U.S. offense is how it might provoke further attacks.
“I’m concerned we’re putting the cart before the horse, when we have not had a hearing on why the [Cybersecurity and Infrastructure Security] Agency has lost one-third of its workforce in the last year,” the top Democrat on the full committee, Bennie Thompson of Mississippi, said. “We ought to be cautious about pursuing an approach involving the use of offensive cyber tools that could result in relation or escalation if we’re not in a position to help defend U.S. networks.”
Other panel Democrats invoked a sentiment from sports about the importance of defense over offense. “Both are still important,” Rep. James Walkinshaw, D-Va., said during the hearing of the Cybersecurity and Infrastructure Protection Subcommittee.
Emily Harding with the Center for Strategic and International Studies, a D.C.-based think tank, testified that as the United States takes steps toward a more aggressive posture in cyberspace, it also needs to fund important defensive upgrades for federal government networks.
The chair of the subcommittee, Andy Ogles, R-Tenn., said that while defense was important, “defense alone is not sufficient,” and that “deterrence in cyberspace doesn’t exist without operational cyber offensive capabilities.”
The private sector could have a bigger role to play in boosting the country’s offense, since cybersecurity companies, tech providers and other businesses often have the best vantage point on attacks as both victims and investigators, Ogles said.
But much of the kind of things companies could do to bolster offense “exists in legal and policy gray space,” he said. “Companies face uncertainty about liability, retaliation and regulatory risk.”
A hybrid approach with private sector companies supporting government offensive operations rather than directly carrying them out generated the broadest support at the hearing. Harding said Congress could provide legal protections to companies in those circumstances.
CISA should play a key role in coordinating any public and private sector offensive activity, said Drew Bagley, chief privacy officer at CrowdStrike.
“This committee can ensure that CISA is properly focused and resourced to perform this mission,” he said in written remarks. “From an oversight perspective, you can ensure it has authorities, talent and capabilities to maximize its impact.”