The Trump administration is hard at work on a governmentwide strategy to deter adversary cyberattacks despite missing a self-imposed deadline to draft that policy, National Security Agency Director Michael Rogers told lawmakers Tuesday.
President Donald Trump promised soon before his inauguration in January he’d release a plan to vastly improve the nation’s cybersecurity within 90 days of taking office, a deadline that passed last month.
Senate Armed Services Chairman John McCain, who regularly hammered the Obama administration for its lack of a detailed cyber deterrence strategy, expressed dismay during a committee hearing that the Trump team seems to be similarly falling short.
“We were hopeful that after years without any serious effort to develop a cyber deterrence policy and strategy from the last administration, the new administration promised one within 90 days of the inauguration.” he said, adding the 90-day window has “come and gone and no such policy and strategy have been provided.”
Rogers defended the delay, saying the administration is working diligently on the problem, which involves “a whole lot of complexity and nuance.”
“I know that these discussions are ongoing. I’ve been a part of some of them,” Rogers said. “I’m grateful that the team is willing to reach out and say: ‘Hey, Adm. Rogers, from your perspective, what do you think? What do you see?’”
U.S. Cyber Command, which Rogers also leads, remains on track to be fully operational in 2018, he told committee members, though he acknowledged some difficulties in the process by which military services supply troops to CYBERCOM.
McCain expressed concern that many CYBERCOM troops who go through rigorous training end up moving to non-cyber posts on future tours. Specifically, out of 127 U.S. Air Force officers who did a first tour with CYBERCOM’s Cyber Mission Forces, the cyber troops based within the military services, none returned to a cyber-related job at CMF, McCain said.
Rogers said he’s spoken with Air Force officials who have pledged to remedy the situation. Going forward, CYBERCOM hopes to retain about one-third of the troops it trains through multiple tours, he said.
Rogers also acknowledged there were intense interagency debates during the Obama administration about whether offensive cyber operations against the Islamic State group could extend to computer infrastructure outside the physical war zones of Iraq and Syria. Broader debates about the topic are ongoing during the Trump administration, he said.
Details of that conflict, and of the counter-ISIS cyber operation, were described in a Tuesday Washington Post article citing anonymous officials in the Trump and Obama administrations.
Roger only confirmed the government debate, not any details of the ISIS operations.
Former Defense Secretary Ash Carter acknowledged in 2016 the U.S. was using digital attacks to undermine ISIS but did not provide details. It is one of the only times U.S. officials have acknowledged taking offensive cyber actions, though they have hinted they might have taken others, including against Russian targets following that nation’s meddling in the 2016 U.S. presidential election.