A week after President Obama announced an agreement with Chinese President Xi Jinping to limit corporate espionage—a tentative step toward setting up norms of state behavior on the Internet—a panel of senators urged cybersecurity officials in the Defense Department to go further in establishing clear rules of war for cyberattacks.
As senators on the committee pushed Tuesday for a more clearly delineated cyber policy—and better follow-through to make U.S. intentions clear—the committee’s chairman, Sen. John McCain of Arizona, suggested the lack of such a policy is illegal.
In a heated exchange, McCain pressed Deputy Defense Secretary Robert Work on his department’s progress in developing an “integrated policy” for cybersecurity, a task Congress assigned the department in the fiscal year 2014 Defense reauthorization bill.
“Suppose there’s an attack, a cyberattack, like the one on OPM,” McCain said, referring to a pair of data breaches at the Office of Personnel Management that affected more than 22 million individuals. “Do we have a policy as to what we do?”
Work began responding, haltingly, “The first is to try—first we deny and then we first find out, we do the forensics—”
McCain cut him off, and asked repeatedly whether it is Pentagon policy to counterattack after such a breach. Work said a counterattack is “one of the options.”
“That’s not a policy, Secretary Work,” McCain responded. “That is an exercise in options. We have not got a policy, and for you to sit there and tell me that you do—a ‘broad-strokes strategy,’ frankly is not…