CIA Chief Hints at Covert Retaliation for Cyberattacks
Senator invokes "Dr. Strangelove" in criticism of secret responses to hacks.
In all fairness, Sen. Angus King warned them out front he was steaming mad.
“The first statement I want to make is more in sorrow than in anger. I’ll get to the anger part in a minute,” the independent senator from Maine said.
King was addressing some of the most powerful men in the country, from the Director of National Intelligence to the chiefs of the CIA, NSA, FBI, Defense Intelligence Agency and National Geospatial-Intelligence Agency at Tuesday’s Senate Intelligence Committee hearing on Worldwide Threats – an annual face-to-face discussion about what keeps the top U.S. national security officials up at night.
The row of stern-faced men waited patiently as King made a brief aside about Russian influence operations and the denials thereof by President Donald Trump, and then King got to “the anger part” – the part that “involves cyberattacks.”
“You have all testified that we’re subject to repeated cyberattacks. Cyberattacks occurring right now in our infrastructure all over this country,” King said. “I am sick and tired of going to these hearings, which I’ve been going to for five years, where everybody talks about cyberattacks and our country still does not have a policy or a doctrine or a strategy for dealing with them.”
King turned his ire on Director of National Intelligence Dan Coats and quoted the intelligence community’s written threat report that said that nations with offensive cyber capabilities like Russia, China, Iran and North Korea “will work to use cyber operations to achieve strategic objectives unless they face clear repercussions for their cyber operations.”
“Right now there are none!” King exploded. “Is that not the case? There are no repercussions. We have no, no doctrine of deterrence.”
Coats gamely parried by saying those were “very relevant questions” and reminded King that it’s not the intelligence community’s mandate to make policy. But it was CIA Director Mike Pompeo who took issue with part of King’s declaration.
“I would also argue that — and while I can’t say much in this setting — I would argue that your statement that we have done nothing does not reflect the responses that frankly some of us at this table have engaged in and the United States government has engaged in… both during and before this administration,” Pompeo said.
The exchange was significant because Pompeo publicly implied that his agency and other U.S. intelligence outfits had been involved in some secret or covert action against offending nations in direct retaliation for cyberattacks — and that it wasn’t working to deter just about anyone.
That’s because, as a former senior White House official told RealClearLife, covert action is no substitute for a real-life, public cyber deterrent strategy.
“We need a strategy and need to publicize it,” said the ex-official. “Covert action always has to be the last resort… and having and publicizing a strategy will help ensure that.”
The problem with covert action as a deterrent is in its nature. It is, by definition, meant to hide America’s hand in whatever damage it does to an adversary. What’s the use if a foreign actor doesn’t realize it’s being punished, or by whom?
“Deterrence doesn’t work unless the other side knows it,” King told Pompeo. “The Doomsday Machine in ‘Dr. Strangelove’ didn’t work because the Russians hadn’t told us about it.” (In the 1964 Stanley Kubrick film, the Soviet Union has developed a Doomsday Machine that would automatically destroy the world should the country ever be attacked by the U.S. — the ultimate mutually assured destruction device. But, as King noted, they don’t let the American government know about it until it’s far too late, rendering the whole idea useless and the world, appropriately, doomed.)
Pompeo responded that “it’s true that it’s important that the adversary know it. It is not a requirement that the whole world know it.” When asked if “the adversary” knew the U.S had been behind any recent secret operations, Pompeo would only say that he’d prefer to discuss that in another, presumably less public forum.
But even if the adversary guesses the game, which the ex-White House official said is likely, what about everyone else? Some have argued the U.S. needs to go loud to do any good.
“We need to deter the Russians and anyone else who is watching this — and you can bet your bottom dollar that the Chinese, the North Koreans, the Iranians are all watching,” former CIA Acting Director Michael Morrell told The Cipher Brief more than a year ago, while discussing U.S. options for responding to alleged Russian cyberintrusions related to the 2016 presidential election. “A covert response would significantly limit the deterrence effect. If you can’t see it, it’s not going to deter the Chinese and North Koreans and Iranians and others, so it’s got to be seen.”
Beyond responding to that particular incident, King is the latest to call for a “clear doctrine” to lay out for the world where the U.S. sees red lines in cyberspace.
“What is a cyberattack? What is an act of war? What will be the response? What will be the consequences? And right now I haven’t seen it,” he said, echoing long-held concerns of former intelligence officials and cybersecurity experts.
Pompeo said he’s on board. “There is a lot of work here to do. We do need a U.S. government strategy and clear authorities to go achieve that strategy,” he said.
But until that happens, NSA Director Mike Rogers said there’s no doubt that the cyberattacks will keep coming.
“We have to change this current dynamic because we’re on the wrong end of the cost equation,” he said.
And officials already know the next big target: this year’s midterm elections. To a man, each said they expect Russia to do an encore of its 2016 election interference and influence operation to once again attempt to disrupt the American democratic process.
Whatever covert action is going on in the shadows in Moscow, if any, apparently isn’t doing a lot to cow the Kremlin.