The provision is part of the annual defense policy bill. The committee released a summary Friday, although the full text of the legislation won’t be released until a later date.

The executive summary of the bill only offers that a provision mandates “a strategy to reestablish a credible deterrence against cyberattacks targeting American critical infrastructure using the full spectrum of military operations.”

A senior congressional official who briefed reporters Friday on the condition of anonymity described the provision as trying to identify a full scope using various methods and full spectrum options to more critically deter adversaries, particularly China, from conducting attacks on critical infrastructure, especially defense critical infrastructure.

An official noted the provision directs DOD toward what the department needs to be doing to more effectively establish a deterrent. Officials in open testimony have indicated a clear concern that Beijing, in particular, continues to attack critical infrastructure.

They singled out Volt and Salt Typhoon by name, noting they’re a growing and more aggressive threat in cyberspace to utilities and critical infrastructure that supports DOD.

Volt Typhoon is one of a number of cyber players from China that have been discovered in U.S. networks, troubling American officials. For its part, Volt Typhoon was discovered inside U.S. critical infrastructure using a technique in the cybersecurity world dubbed “living off the land,” which means it’s using legitimate tools organic to the systems for malicious purposes.

China has become more brazen in intrusions and probes into U.S. and defense networks, particularly in maritime or port environments to potentially limit an American military mobilization response if Chinese leaders decide to invade Taiwan.

Guam, a key U.S. military outpost, has been a top target for Beijing in recent years. Chinese hackers targeted critical infrastructure there, burrowing deep inside a couple of years ago and startling experts who referred to it as one of the largest cyber espionage campaigns against America.  

What has particularly alarmed officials regarding Volt Typhoon is the paradigm shift of Chinese threats moving from espionage and intellectual property theft to holding critical infrastructure at risk.

Salt Typhoon, by contrast, has been found inside networks of telecoms and other companies, likely for the purpose of espionage.

Cyber deterrence has been an elusive policy point for many years. While some academics have pointed to evidence cyber deterrence exists, such as U.S. hesitance to hit back against Russia following its malicious activity in the 2016 election for fear of America’s great digital vulnerability, current and past officials have noted the difficulties of deterrence and how adversaries don’t fear the United States in cyberspace.

Senators recently pressed the Trump administration’s nominee to be the top cyber policy official at DOD on the subject.

“There’s no price to pay for our adversaries. I hope in your counsels within the Defense Department and in the administration you’ll argue for a serious and substantial cyber deterrent stated policy. If it’s not stated, a deterrent doesn’t work,” Sen. Angus King, I-Maine, a fierce critic of perceived weaknesses in cyber deterrence, said at the May hearing.

For her part, Katie Sutton, President Donald Trump’s nominee to be assistant secretary of defense for cyber policy, wrote to senators as part of her confirmation process that a critical part of her role, if confirmed, would be to improve the nation’s defenses and digital deterrent.

“Deterrence is possible in cyberspace and can be made more effective through a combination of denial, resilience, and credible responses. If confirmed, I will review the capabilities we have in our toolkit, integrate military cyberspace capabilities with other tools of national power, and restore deterrence in the cyber domain. One of my core goals as ASD Cyber Policy will be to ensure the Department has the offensive and defensive capabilities and resources necessary to credibly deter adversaries from targeting the United States,” she wrote.

While Salt Typhoon was considered traditional espionage activity, which is virtually impossible to deter, especially given the United States does the same thing, officials are hoping to deter activity like Volt Typhoon in the future.

As Trump was coming back into power for his second term, officials associated with the transition and new administration vowed a top priority would be a more aggressive posture in cyberspace to respond to a bevy of activity against the U.S., namely from China.

The post Senate panel pushing DOD on strategy to deter Chinese cyber activity on critical infrastructure appeared first on DefenseScoop.

Lawmakers expressed concern Tuesday regarding the United States’ ability to deter malicious activity in cyberspace.

“Do you think we’ve done enough over the last four years to deter our adversaries like China and Russia and Iran and North Korea by being essentially in a defensive crouch in the cyber world and not developing offensive plans and capabilities that can hold at risk the things that they hold most dear?” Sen. Tom Cotton, R-Ark., asked Katie Sutton, President Donald Trump’s pick to be assistant secretary of defense for cyber policy at her confirmation hearing.

Sutton would be the second official to hold that role since Congress created it in the fiscal 2023 annual defense policy bill.

“As I think Sen. Cotton characterized it, we’re not going to be able to defend ourselves if we’re in a defensive crouch at all times. We need to have both the capability for offensive cyber, but also I believe we need a stated doctrine,” Sen. Angus King, I-Maine, said. “Everyone in the world knows our doctrine of deterrence in nuclear armaments, for example. People should also understand a doctrine of deterrence that if you attack us in cyberspace, there will be a response.”

King has raised the issue of cyber deterrence, or lack thereof, at almost every cyber hearing before the Senate Armed Services Committee in recent years. He has voiced concern that there isn’t a coherent cyber deterrence strategy. In fact, at a confirmation hearing for now retired Gen. Paul Nakasone to be the head of U.S. Cyber Command seven years ago, King asked the nominee if adversaries feared the U.S. in cyberspace, to which Nakasone answered they don’t.

“There’s no price to pay for our adversaries. I hope in your counsels within the Defense Department and in the administration you’ll argue for a serious and substantial cyber deterrent stated policy. If it’s not stated, a deterrent doesn’t work,” King told Sutton at Tuesday’s hearing.

For her part, Sutton noted that if confirmed, she would work to make sure the U.S. has the right posture and it is well-articulated.

“The defender has to be wrong every time, [but] the adversary only has to be right once. I think that goes to show that while we need strong defenses, we are not going to deter the adversary with defenses only. And that if confirmed, I will work to strengthen our offensive cyber capabilities to ensure the president has the options he needs to respond to this growing threat,” she said.

In response to written questions from the committee, Sutton noted that a critical part of her role, if confirmed, would be to improve the nation’s defenses and digital deterrent.

“Deterrence is possible in cyberspace and can be made more effective through a combination of denial, resilience, and credible responses. If confirmed, I will review the capabilities we have in our toolkit, integrate military cyberspace capabilities with other tools of national power, and restore deterrence in the cyber domain. One of my core goals as ASD Cyber Policy will be to ensure the Department has the offensive and defensive capabilities and resources necessary to credibly deter adversaries from targeting the United States,” she wrote. “Under President Trump and Secretary [Pete] Hegseth’s leadership, I understand that DoD is laser-focused on restoring deterrence across all domains, including cyber, and will be assertive in addressing China’s unacceptable intrusions on civilian and government networks. While increasing our offensive cyber capabilities is critical, DoD must also remain vigilant in defending its own networks and critical infrastructure.”

Recent Chinese intrusions into U.S. critical infrastructure have raised concerns among American government and private sector leaders that Beijing could be prepping the battlespace for a potential conflict.

Officials in the Trump administration have expressed their desire to beat back Chinese efforts and develop a more offensive cyber footing.

Experts and officials have acknowledged that deterrence doesn’t have to be tit-for-tat in cyberspace, but senators expressed the need for more public-facing offensive capabilities against malicious activity.

Prior to 2018, the military conducted very few cyber operations. Experts and former officials have noted that there historically has been a risk aversion to conducting offensive ops in response to certain activities because it could be viewed as escalatory — a notion that has been largely disproven through academic research, especially given in recent years cyber activities have been viewed as a less escalatory response than traditional kinetic action.

Cyber Command’s “defend forward” concept — which involves operating on networks outside the United States in order to confront threats before they ever reach domestic networks, achieved through persistent engagement and challenging adversary activities daily and wherever they operate — was viewed as a remedy to that inaction. It sought to demystify cyber ops by conducting them consistently to give U.S. forces more reps and demonstrate to senior leaders what they could do.

Some of the authorities that were developed in 2018 by the executive branch and Congress and were foundational to enabling a more offensive posture for Cybercom, deserve a relook, according to Sutton.

“The cyber domain is continuing to evolve and the one constant that I’ve seen in being involved in this domain for over two decades is that the rate of change is exponential. My top priority if confirmed in this role will be to address this change with speed and agility in the department … I believe we’re at a point where we need to reevaluate those [authorities] and make sure that we’re postured to be able to respond to the increasing speed of cyber attacks and that we are able to address the incoming impacts of AI,” she said.

Those authorities include the first Trump administration’s National Security Memorandum-13, which prescribes the process by which cyber operations are conducted and coordinated in the interagency. Lt. Gen. William Hartman, acting commander of Cybercom, told the Senate Armed Services Subcommittee on Cybersecurity last month that that policy has increased the command’s ability to execute cyber operations tenfold.

Another important move previously made was Congress clarifying that cyber is a traditional military activity, clearing bureaucratic and interagency hurdles and allowing Cybercom to conduct critical preparations in cyberspace without a “hot” conflict present.

Sutton also pledge to change the culture around offensive cyber, noting that a decade ago there was hardly any mention of the term “offensive cyber” among U.S. officials. She pointed to the parallel of how the intelligence community would keep vulnerabilities for its own use, but now it seeks to share them more with industry to better defend themselves.

“I think that same culture change needs to happen in how we discuss cyber deterrence,” she said in response to Sen. Tim Kaine, D-Va., who questioned why the Defense Department can’t be more candid in discussing offensive activity more publicly.

“We talk about offensive operations in other military domains — the number of sorties we were flying against [ISIS], we know when there’s a U.S. bombing in Yemen against Houthis, we’re aware of it. But we don’t talk about what we do offensively in cyber very much,” he said. “It ends up making the public very aware that we’re under attack because [of] the news stories a couple of times a year about successful cyber attacks. But the public never hears about our use of the offensive cyber capacity to impose costs on those who are attacking us. Why can’t we be a little more candid with the American public about our offensive use of cyber so that they’re aware that we’re not just playing defense all the time but that we actually have an offensive capacity that we use?”

Part of the reason the U.S. government has been hesitant to discuss offensive cyber more openly is to avoid tipping off adversaries. If a vulnerability is known by the target, it can be patched and cut off as an avenue for attack.

The post Senators press DOD cyber policy nominee to push for deterrence doctrine appeared first on DefenseScoop.