While the federal government currently has no consensus as to what constitutes cyber war, Congress is certainly doing a lot of talking about the cyber threat. As of June 2017, there have been 20 congressional hearings pertaining to cyber security, cyber threats and cyber warfare. Congress has also considered related legislation, most having to do with strengthening local and state cyber capabilities versus defining cyber war.
One of the more recent pieces, an amendment to the Countering Iran’s Destabilizing Activities Act of 2017, was introduced June 12 by Senate Majority Leader Mitch McConnell, R-Ky., on behalf of Sen. Mike Crapo, R-Idaho. The amendment (S.A. 232) escalates and expands the current sanctions against Russia by codifying and modifying six current executive orders, two of which relate to Russia’s malicious cyber activity. The amendment also creates several new sanctions against Russia, including for “malicious cyber actors.” As memorialized in the Congressional Record of June 13, 2017, Crapo said on the Senate Floor, “Our amendment also demonstrates our resolve in responding to cyber attacks against U.S. citizens and entities and against our allies.”
One of the few direct inquiries into cyber war occurred more than a year ago, in June 2016, when Rep. James Himes, D-Conn.—a member of the House Foreign Affairs and Armed Services committees—introduced the Cyber Act of War Act of 2016. This bill directs the president to develop a policy for determining when an action carried out in cyber space constitutes a use of force against the United States and to revise the Department of Defense Law of War Manual accordingly.
In developing this policy, the bill asks the president to consider the ways in which a cyber attack’s effects may be equivalent to a conventional attack’s effects, including physical destruction or casualties, and intangible effects of significant scope or duration.
While it seems like this bill speaks to the issues being wrestled with, it doesn’t seem to have moved since being referred to the House Armed Services Subcommittee on Emerging Threats and Capabilities in June 2016. For its part, the Trump administration has made some efforts to strengthen cyber security. On May 11, the president signed an executive order requiring each government agency to submit a report describing its security measures and significant risks. It also requires all federal agencies to adopt the Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology, and to upgrade critical infrastructure. Additionally, the Department of Defense has requested $647 million dollars for its U.S. Cyber Command, an increase of 16% from last year’s requested amount. On June 12, the chairman of the Joint Chiefs of Staff, Gen. Joseph Dunford, told lawmakers that the U.S. Cyber Command is “simultaneously conducting cyber operations now against multiple adversaries.”
Since 2012, the DoD has also conducted an annual Cyber Guard, which is a multiweek exercise that includes hundreds of participants from all sectors, including the federal government, state National Guards, power companies, banks, port facilities and allied foreign partners. “This is our seed corn for the future,” Adm. Michael Rogers said in a DoD news article. Rogers commands the U.S. Cyber Command, directs the National Security Agency and serves as chief of the Central Security Service. He noted that those who work at CYBERCOM view themselves as “the warriors of the 21st century.”