Rounds: Senate cyber subcommittee to focus on foreign capabilities WASHINGTON — The new Senate subcommittee charged with oversight of military’s role in cyberspace announced it will hold a hearing on cyber-enabled information operations, which Russia is alleged to have employed during the 2016 U.S. elections. Former NSA Deputy Director John Inglis and former acting Under Secretary Of Defense for Policy Michael Lumpkin are set to testify with other outside experts. Defense News interviewed Armed Services Cybersecurity Subcommittee Chair Sen. Mike Rounds, R-S.D., who said his first priority for the new panel is simply getting a lay of the land. Beyond that beyond, he aims to press the administration to complete work on U.S. policy that would define an act of war in cyberspace. Foreign actors in cyberspace have reportedly been more aggressive lately, not necessarily hiding what they’re doing and maybe even testing the United States. Your thoughts? I think the Russians clearly knew we could see what they were doing with regard to the information they were dispensing. I don’t think there is any secret about that. I think we have to take each of our competitors separately. China clearly has capabilities, they don’t necessarily share them publicly. Iran and North Korea probably simply aren’t as capable as our peer competitors when it comes to hiding their capabilities. They’re not as adept. Then you have the problem children, the terrorist groups and the actual thieves, all of whom we have to have defense capabilities to stop from getting into our systems. They’re not as good as the peer competitors, Russia and China. What’s on the top of your agenda? Is it Russia questions? Is there space in there for the Senate Armed Services Committee and your subcommittee? Most of that information will come from the Senate Intelligence Committee review. Our interest is exploring what their capabilities are, getting a situational awareness of Russian capabilities and Chinese capabilities — comparing that with our capabilities, our strengths and our weaknesses. One of our next steps will be to look at information campaigns, how other countries do it, and that will be an open-source meeting. That’s maybe the next thing we’d like to do. There’s been some congressional testimony lately about the Russian disinformation campaign and the U.S. being targeted. They have been doing that for generations. The difference is now they’re using cyber and they’re very adept at it. They’ve integrated not just the collection of information but the release of information using sources like WikiLeaks. To take all that, put it together and put it out in such a fashion that its got some substance to it and a lot of misinformation. Or take the case of [Democratic National Committee] leaks, they used cyber to get in, they stole it and instead of looking at somebody’ notes on their desk they took it from a computer and now they’re sharing it. It was private information, never intended to be released, and they were able to embarrass those individuals. They tried to do it with the Republican Party. This isn’t something they wouldn’t have tried to do before. They’re just getting better at it. They did it, in this case, overtly to give us a lack of confidence in our election process and to hurt Hillary Clinton. Is the idea to open this up and educate the American people, and is there a space for Congress to legislate? This was simply: They thought Hillary Clinton was going win, and they thought this would weaken her position as the leader in America. They took the opportunity to do that, politically, and to take some attention off their own government to say: ‘See, we’re not the only ones that [have] problems — America has problems and democracy isn’t that great.’ That was what this was about. It’s not new — this is what they tried to do in the past. The difference: They’ve used cyber to do it to a very successful degree. And the role for Congress now? First, what we want to have is how we create and review a cyber policy with regard to the cyber domain: acts of war, acts of aggression and what should be our public policy approach as to how we respond — not limiting ourself to just a cyber response but to all the different domains, to use whatever resources the executive branch feels is necessary with an understanding of what is acceptable. It’s more than what our country thinks, it’s what our allies feel as well. We’ll be looking to NATO. They talk about what they believe to be appropriate uses for cyber and cyberattacks, both the act of war level and also at the level of not being at the level of an act of war but an aggressive act in cyberspace. Are investigations in Russian cyber activities not the purview of the committee? I think our purview is to look at cyber capabilities. In this case, the Senate Intelligence Committee is where that should remain. We don’t need lots of different people chasing lots of different areas. What we want to do is learn what the capabilities were that our adversaries have and talk about public policy with regard to the use of cyber and the activities in the cyber domain. Once the policy is out there, does that set the stage for other decisions on resourcing and capabilities? You’re following right, but I want to build a base, a good foundation upon which to make recommendations. We need to have situational awareness of what the adversaries have and listen to the experts. We’re not experts on the committee, but we are listening to experts and getting good data on cyber capabilities and cyber needs. Are you mandating the administration create a policy by a certain date? We have done that already. I proposed legislation and it was put into 2017 [National Defense Authorization Act] that by the end of this year they have to come back with a cyber policy, in terms of determining what an act of war is. Will you look into the split of the National Security Agency and Cyber Command? Absolutely, and I’m open to this. I think at some point it will happen. Gen. [John] Hyten, [commander of U.S. Strategic Command], who we’ve just visited with, is interested in seeing it happen at some point. But we want to make sure the platform they would move to has all of the capabilities necessary. We don’t want them to simply move out and then begin to build. We want to make sure they have the capabilities and [we] listen to their recommendations and [we] make a decision. What about the concern that if you separate the two, you leave one disadvantaged? On the flip side, if you have two organizations, you have to resource both, and that’s more money. Are the two organizations competing against one another for it? That’s why I want to get good data before we make a decision. We’ll listen to what the pros have to say and make a decision based on our best judgement.