From NextGov:

A week after Pres­id­ent Obama an­nounced an agree­ment with Chinese Pres­id­ent Xi Jin­ping to lim­it cor­por­ate es­pi­on­age—a tent­at­ive step to­ward set­ting up norms of state be­ha­vi­or on the In­ter­net—a pan­el of sen­at­ors urged cy­ber­se­cur­ity of­fi­cials in the De­fense De­part­ment to go fur­ther in es­tab­lish­ing clear rules of war for cy­ber­at­tacks.

As sen­at­ors on the com­mit­tee pushed Tues­day for a more clearly de­lin­eated cy­ber policy—and bet­ter fol­low-through to make U.S. in­ten­tions clear—the com­mit­tee’s chair­man, Sen. John Mc­Cain of Ari­zona, sug­ges­ted the lack of such a policy is il­leg­al.

In a heated ex­change, Mc­Cain pressed Deputy De­fense Sec­ret­ary Robert Work on his de­part­ment’s pro­gress in de­vel­op­ing an “in­teg­rated policy” for cy­ber­se­cur­ity, a task Con­gress as­signed the de­part­ment in the fisc­al year 2014 De­fense reau­thor­iz­a­tion bill.

“Sup­pose there’s an at­tack, a cy­ber­at­tack, like the one on OPM,” Mc­Cain said, re­fer­ring to a pair of data breaches at the Of­fice of Per­son­nel Man­age­ment that af­fected more than 22 mil­lion in­di­vidu­als. “Do we have a policy as to what we do?”

Work began re­spond­ing, halt­ingly, “The first is to try—first we deny and then we first find out, we do the forensics—”

Mc­Cain cut him off, and asked re­peatedly wheth­er it is Pentagon policy to coun­ter­at­tack after such a breach. Work said a coun­ter­at­tack is “one of the op­tions.”

“That’s not a policy, Sec­ret­ary Work,” Mc­Cain re­spon­ded. “That is an ex­er­cise in op­tions. We have not got a policy, and for you to sit there and tell me that you do—a ‘broad-strokes strategy,’ frankly is not…

Continue Reading